Did they just guess his email password?

Is my customers PC infected, or did they guess his email password?:
I just got this spearfishing email from my customer:
I am his supplier. We both use Office 365. Looks to me like they guessed his password, but I am not certain:
He is Customer Lastname, his email adress is customer01@lastname.com
I am Supplier  and my email adress is supplier@supplier01tech.net
Received: from CO2PR0801MB2150.namprd08.prod.outlook.com (10.174.173.155) by
 CO2PR0801MB2149.namprd08.prod.outlook.com with HTTPS via
 MWHPR03CA0038.NAMPRD03.PROD.OUTLOOK.COM; Mon, 19 Mar 2018 17:10:19 +0000
Received: from SN4PR0801CA0002.namprd08.prod.outlook.com (10.161.215.140) by
 CO2PR0801MB2150.namprd08.prod.outlook.com (10.166.214.155) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Mon, 19
 Mar 2018 17:10:16 +0000
Received: from DM3NAM05FT033.eop-nam05.prod.protection.outlook.com
 (2a01:111:f400:7e51::206) by SN4PR0801CA0002.outlook.office365.com
 (2603:10b6:803:29::12) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.588.14 via Frontend
 Transport; Mon, 19 Mar 2018 17:10:16 +0000
Authentication-Results: spf=permerror (sender IP is 104.47.34.129)
 smtp.mailfrom=lastname.com; supplier01tech.net; dkim=pass (signature was
 verified) header.d=lastname.onmicrosoft.com;supplier01tech.net; dmarc=none
 action=none header.from=lastname.com;
Received-SPF: PermError (protection.outlook.com: domain of lastname.com used an
 invalid SPF mechanism)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (104.47.34.129)
 by DM3NAM05FT033.mail.protection.outlook.com (10.152.98.145) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.20.631.2 via Frontend Transport; Mon, 19 Mar 2018 17:10:15 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=lastname.onmicrosoft.com; s=selector1-lastname-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=dgnhHlGFn6sAWWxFklL2eeUAY00RjfiT0SoLVtKf9ZU=;
 b=iGattOOyjNol4hlDocIj87N0fTo8bm9B0AHznsu2ELZtvLRH/xY6gFIYY8LQ8N1Gfc8G3iTNBKjKsx0qPGoEL8EcT9R4La0ySS2OdfCK7QzFcSp1Atk2fxV4lyS/8Dz4vP1rhC6ZrLGaC58KKu+t91+WLUE0+wgkFU9H+8aI7l8=
Received: from BN6PR19MB1281.namprd19.prod.outlook.com (10.172.211.136) by
 BN6PR19MB1522.namprd19.prod.outlook.com (10.172.210.151) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.588.14; Mon, 19 Mar 2018 17:10:10 +0000
Received: from BN6PR19MB1281.namprd19.prod.outlook.com ([10.172.211.136]) by
 BN6PR19MB1281.namprd19.prod.outlook.com ([10.172.211.136]) with mapi id
 15.20.0588.017; Mon, 19 Mar 2018 17:10:10 +0000
From: customer01 lastname <customer01@lastname.com>
To: customer01 lastname <customer01@lastname.com>
Subject: Completed: Please DocuSign: lastname & lastname
Thread-Topic: Completed: Please DocuSign: lastname & lastname
Thread-Index: AQHTv6UHNv/XB/jbHEiI4eqq1dvERw==
Date: Mon, 19 Mar 2018 17:09:24 +0000
Message-ID: <C148300F-A5F9-4338-BD31-587645065EEB@lastname.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is )
 smtp.mailfrom=customer01@lastname.com;
x-originating-ip: [104.129.18.203]
x-ms-publictraffictype: Email
X-Microsoft-Exchange-Diagnostics-untrusted: 1;BN6PR19MB1522;7:eUe2F/X7WhWHSexyHDjSiiQNGWLqTaD6shCfZ4DsJP55WvR324/8UsDXHJZ+O1ibWnJKRrSIX8OVbBdg/TfExgw6jdjLsNhem1CL0KSQE0edIT6BB3ZOhWXuXS8OZ8XxzGjbuqgXoEH7P46jCw+opXaYtFpXUzjGbCvkJhfeCgmxUbyauXR1LydyiuIT3LC1aP+DngWggWmuFGCwaNaPjTCf8s+tcRfwtdbfJBqvzPSVj5POqCPdt5CxQChObiGi
X-MS-Office365-Filtering-Correlation-Id: 0876adbc-f699-4b69-d3d2-08d58dbc4918
X-Microsoft-Antispam-Untrusted: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(2017052603328)(7153060)(49563074)(7193020);SRVR:BN6PR19MB1522;
X-MS-TrafficTypeDiagnostic: BN6PR19MB1522:|CO2PR0801MB2150:
x-microsoft-antispam-prvs: <BN6PR19MB152218D4F2770A5DB267E5CDCCD40@BN6PR19MB1522.namprd19.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);UriScan:(28532068793085)(189930954265078)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(3231221)(944501300)(52105095)(3002001)(93006095)(93001095)(10201501046)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(2016111802025)(20161123558120)(6072148)(6043046)(201708071742011);SRVR:BN6PR19MB1522;BCL:0;PCL:0;RULEID:;SRVR:BN6PR19MB1522;BCL:0;PCL:0;RULEID:(102415395)(2401047)(8121501046)(1430347)(1431041)(1551027)(9101536074)(3002001)(93006095)(93003095)(10201501046)(3231221)(902075)(903095)(944500087)(944510158)(944921075)(946801075)(946901075)(52103095)(52104095)(52105095)(52106095)(52401095)(52601095)(52606095)(52602095)(52606095)(52505095)(52406095)(1610001)(8301001075)(8301003183)(201708071742011);SRVR:CO2PR0801MB2150;BCL:0;PCL:0;RULEID:;SRVR:CO2PR0801MB2150;
x-forefront-prvs: 06167FAD59
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM;SFS:(10019020)(39380400002)(39840400004)(396003)(346002)(366004)(376002)(47650400002)(189003)(199004)(40134004)(7416002)(7406005)(83716003)(316002)(7276002)(7366002)(6666003)(77096007)(6862004)(86362001)(37006003)(39060400002)(25786009)(7336002)(59450400001)(551944002)(106356001)(68736007)(7736002)(82746002)(26005)(5660300001)(3846002)(861006)(97736004)(2900100001)(99936001)(102836004)(53936002)(36756003)(6506007)(606006)(6116002)(105586002)(99286004)(53366004)(53376002)(14454004)(2906002)(3280700002)(3660700001)(478600001)(6200100001)(236005)(6306002)(8936002)(81166006)(8676002)(8656006)(81156014)(33656002)(6512007)(54556002)(733005)(8666007)(6486002)(66066001)(54896002)(6436002)(19628015004)(56050400004)(9984715007);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR19MB1522;H:BN6PR19MB1281.namprd19.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
received-spf: None (protection.outlook.com: lastname.com does not designate
 permitted sender hosts)
X-Microsoft-Antispam-Message-Info-Original: Gyd1VYDNznc8wxnsYTrq389ihOTvxLJH921MwD1uWlmgCtJ1ytp0MGrgSWlpqHrhXE4+StfdSpKKA6ujBm4rjrBphvnhq/vaPvoga6SAojXHQA0Wto+2j5aGBkCmTmBFq/0Lw/5eOmxIgXJj91O+yWJP0lwdJ7gECAzGnRXIV6337IxrAaEZJ+Thm1b8U2XaNCnJFKrbNfvnVNdBPDIpo4dftsY8UkuwyqYoCkDkCwrqiv1kdb3v3iz3220b/Jgft5oQNmrKR9tzzW/5K+7ijlayRLhvyw2dHSYlbDrHY+Ey4KQ6Ei+EeujTsjeY5Mu0TTFb2PlCR+BnOe5167d0ew==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
Content-Type: multipart/related;
      boundary="_004_C148300FA5F94338BD31587645065EEBlastnamecom_";
      type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR19MB1522
Return-Path: customer01@lastname.com
X-MS-Exchange-Organization-Network-Message-Id: 0876adbc-f699-4b69-d3d2-08d58dbc4918
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: c8dbffea-61ec-4035-828b-91d8509afb8a:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DM3NAM05FT033.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: DM3NAM05FT033.eop-nam05.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:104.47.34.129;IPV:NLI;CTRY:;EFV:NLI;SFV:NSPM;SFS:(8156002)(2980300002)(448002)(47650400002)(40134004)(199004)(189003)(77096007)(82746002)(85326001)(6666003)(2900100001)(336012)(6306002)(8636004)(37006003)(733005)(6486002)(26005)(6436002)(59450400001)(7736002)(5660300001)(33964004)(54896002)(62580400003)(6506007)(15003)(14454004)(236005)(86362001)(606006)(84326002)(6512007)(16586007)(6862004)(102836004)(45080400002)(6116002)(3846002)(99936001)(551944002)(356003)(106466001)(25786009)(30436002)(53366004)(53376002)(33656002)(15974865002)(6200100001)(66066001)(66926002)(246002)(99286004)(54556002)(1096003)(83716003)(67866002)(36756003)(7636002)(8676002)(19628015004)(56050400004)(9984715007);DIR:INB;SFP:;SCL:1;SRVR:CO2PR0801MB2150;H:NAM01-BY2-obe.outbound.protection.outlook.com;FPR:;SPF:PermError;PTR:mail-by2nam01on0129.outbound.protection.outlook.com;A:1;MX:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;DM3NAM05FT033;1:4th6BCh4p1L633YHyvy1SR0AlNCakjXdCYcUzNCt2tJCJd4Mh4Z3l6zfnVWctc9YbIT1OPEU2LCIM+RG72XAXhLvlc+dMHJbkuLPa4oedA7UWWSs8KHnJjjRo9bUGpsV
X-MS-Exchange-Organization-AuthSource: DM3NAM05FT033.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(5600026)(4604075)(4605076)(49563074)(1401096)(8001031)(1405069)(71702078)(7193020);SRVR:CO2PR0801MB2150;
X-Microsoft-Exchange-Diagnostics: 1;CO2PR0801MB2150;3:2tZRJuPnqQ/j2i2R7Fm/AQLoDqfH4uT0ot6tkqDZvMXMlRpL+K5rd7OesjXOvyZZsjQ6jghVrnT6zteSucOJW0mVX8F+sxjllcOp2qGDU5sejtACj7X66Bi41Z9Iyc36tb4nsp2kfpSrZONrcV/YjJO9c4A1NGfFNoafODrrh1ABBtEj46gfBmIFE5IsN7UgVHEvKHT6VxnnfQui+Qw5d75SMeKpBEPG3A41fd256ZQHL1SfaotKj8YlYNJfDX3CBJPxhtfDKQSZe7dVcCxFX3kprcmDIwsKBSvtOfEZuuStsU0Me5OBwpnUe1O8PFAU/1a+O8JXU9D5atTMEHXA9g==;25:VhMcnllCHHqVce5mAMVdhO8Ewt8Cw+lUP2cLT5CD3xN73slp5s7mcp60S+X6uCh7oWcvLqNE0Rsizf0I/+uE5L5A3vvKCI0fMTo/Sy86l6hMJ9VXLQeC4rgsHBBezo4TnFcYuQ6FtnhT6QdZSmZDMB5EizkKUXKP84KYVMzOxiU/njR0UkMmGgB3J4a4vH/rDbDRX9hRsjafmHurZ4p3oUgMlnXD4gV249CSP8V/bWEQyNilW50W3T4XeDxRT4xrKJmXkosPeSO2GSk5LdrC/A4f975vK0JiD9wArQObr5Rrf35RNKTUxm/QtMaZWlkWM79pMZNCFPy/7LeD8M06Jg==;31:YsymnEDjwUin3+RM1xustkP+PtdmHDFdqp3M9PIacwGJpiwbreY+zL8HNsY1FJ+ZF8dv8AWKWVWz0V+SBmt3V2geurl0esNz9Lhm0pt/zQ+lhuurGsh2mzs0VLuCWwt+DeRyoI51+6I2Mu/QC2KDH3Tr2p09cbCByJDBgO5CmQ6JChYzXw+lFnIyisDKS2XxEuA2Qo3VEpp5FZMmIvZhUxFoH+8mOtJTDwHfl4jqnxE=
X-Microsoft-Exchange-Diagnostics: 1;CO2PR0801MB2150;4:PRZHtRFTqN6+AFXqNhleSNM3KbDNc1xUI4vt3AbGvYwvbzxzvmrE2wwrrw54ulOpBEsu5V1/4tjznxNVXQcFQ5Y8xMF2JoZr0LoKHxMYk/y6DxWk5bobyj+p6/W0KTPDjLDH71gho0gxPArFOsF0ho9YO/1B2yFnFFR8cWraPqgXOGLvjJl5HVhVz7AExpBHl6NOVNgmbTfrOQe69FS6SXNHllzW5U6XWTKv7x41fdZVBa2gvsNdT+oeWz/ULmX/toWf6mK6u5+nWwo8dy+T6g8hTrEKsLduOn5PbzYzPz/8EXo8Do//xuMcdiASDlnWWfO9fMdEIDiEnrk4Appw2UyFTDZamXdDTYOZp+wRjKc5F9Pdf7qbHFBNlfMesWdp
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;CO2PR0801MB2150;23:ttfOIGZD6u0UJMRqY0p39qSbo/GunRHcxgAhrqD?=
 =?us-ascii?Q?mhovbZ9Sv+oOkH3HJ9tkYgrDZQ+CpWrsihSrxrYBxGIfvnHZ0ADJe4zRTDws?=
 =?us-ascii?Q?6edjxLTJRWF7k1TPgMeGImqqoZAeuPKhBxEjGDiiuZ6H6EuNu11qiVplu+T/?=
 =?us-ascii?Q?OpOchBStadtOaekqxa51Y2YhPpAbgdx2oNaD4bfNQB/rEWKK478lS6r8sn0w?=
 =?us-ascii?Q?QoIBX41Ydl78X5PEVA+R3H24iE0loncvDJ1ORJWEDfxL9DRMNgjRwbjn/S89?=
 =?us-ascii?Q?3EDi2yDxh4LfJbG8AaNYcb6/qsTMaxJwK3HGZtWwJ7W39HBvgCesqPgfISVl?=
 =?us-ascii?Q?Am2vKe3Wg8ISKo7+6w4C/URKxr28f7Q7urGXGdpiDQ7CABJNs9ianYulTNji?=
 =?us-ascii?Q?PAOZRujliuODOYN11CowJwLaMQ6te9LDGdhd9a9uVikW8TLSijbaXHNCtBTi?=
 =?us-ascii?Q?WL03NEcw4EhgrSeY8Q0P5dRb2vEDgYnTNJc9RzpGxs9fz+toI7S9FQ2PU3Zn?=
 =?us-ascii?Q?gIABzfpLs9MnHc7w0umhXk2GQZd8tLpmnqrP6wRfN2Uf+29FN9xOt99ZLzaF?=
 =?us-ascii?Q?kPqH+NAGloKWT/fTGzdSxKo/nzRz0evJwdqdDHobSoGBdfPsfY9I701mbGcS?=
 =?us-ascii?Q?Uh0uVga4fEEvXQEBMMIpxb/vMFigPOoSKaRBW5kIsyeaaoOnZV2k0967rGbW?=
 =?us-ascii?Q?LxaWwlZk49cCsmTPuyjbFyB7xxsDL0G1JPZEsMX2IQb5Ivw8ntv59z8OWLfa?=
 =?us-ascii?Q?2ZkE6LDvFepwuBvsX1YeguM/Bq2v0E3Fzg4WpLY0td0yamj6PF0lTRsa6jR/?=
 =?us-ascii?Q?r6ZWkwm+Bw3XSoMRbA7YyH3agyLd9n8BpzRxI/PYSLz2FSL3gUb78dpKQwJZ?=
 =?us-ascii?Q?SsGK/vISuSffqp4uwO9yFqpQsyJ9CZX5oKqEhco/MjYceqoV6253Bfqyvj/A?=
 =?us-ascii?Q?IvAWpVIQiwoEDOyjufDZ3nIF/FJ2SfYwIU8z1SvlWdYj+I7EZ/G5RSUiwJCA?=
 =?us-ascii?Q?AMEG/l315mYfnErAJTRKC8xei26MSxsW4KpkVxpVlDYACT3Ac00r6QEIYcxu?=
 =?us-ascii?Q?fyvur3Ef7P2HvnoNw4iaPqCNd53T49RIry8mWqQUZWst90oCfG7EGn/eJOqO?=
 =?us-ascii?Q?+sHJOvKzI5rT0H1vjZwP7MUD+bxNN1aGYVojkoY1gmSpZCY+I+iVzFDai0sz?=
 =?us-ascii?Q?jmPyKKiJDqKO8JZHKjT4bNY8/lheGgetuONqhJQURE3+1n7CwRttvWHiJ8iE?=
 =?us-ascii?Q?5uTn8u/OaXEDA58Hfo7OEZ6igX4iw+rzi5bD8mVlC6LJ9V2+AJGXXHM2M/P7?=
 =?us-ascii?Q?qyanHmcxwQPpbkIr/+vryFGuPzerO03DtKuJF2QZdgSjbNDy1toqP08lHfnw?=
 =?us-ascii?Q?cWK1szA4BecP0Crm19yWI9X17tEF2rzSqgKtjdae1s3zOSEOmWLhe8xewHVz?=
 =?us-ascii?Q?Y7MxVhIcyJ5o/9d3jJUsLZ45g+ZQPtwAvV5nb2fu/M9LABsStJ5R5H7/ITGI?=
 =?us-ascii?Q?YF1I6crDxbwk3wA=3D=3D?=
X-Microsoft-Exchange-Diagnostics: 1;CO2PR0801MB2150;6:QIPcOICEiSwacnyCWrZWb9/2HLHeXA0RovI0BofnyqNXoysYqYMCZybNjza9DsukDMYm9UV1xzDJJ9z48urVii3PY7C26RuefE6BEkSM+zfU01JQ672vlTHu0SN1PFv8XQ40YzfCW/qp7S1ZswYKwE0FjkUKNuTrqnZSQeWeS7n8YoaB6SamZdYz4WpCkIrXNaQhdHJO91cGr4BJ5eWi7Y7x3vGvfTrBfFTB4qZ+P3xWPJpE08lpe1PD3LI+WnlcRWKEnfG8mtT5ZTBi9USfedXubZiFrcvIlWWsJRthRXwtolgf2OAWToh/2kR/qR38f2D4JKBKnKR2GxYvDW0MgyJscp/46vKBdfRJQNzjHio=;5:jeAcX12ysyrd0tGlsN+GYWBj4l/tPj9yi/AoL1IgBttt42uMkyg18CguECJwQ70yfA0WtFqxrbcdF5Xr7mUdg6J2hstuvAWTLt4Mc+fhVy5I70bPsNGFXoKPHZ4ZRfxyjpbOPW7L8u2kZtzcPgKXlUJcA/m0qbp/4c573f+sjf4=;24:FLjaLtwAuxzdQGaLOBAiGrbUaOZEjiGUpmBHELt6DSYTThWfme6oU+csdmsJIfvA3I1SijskudBGxFAifZ3pQuFZ+mc1jzIZ74TFhyY3RW8=;7:cpyhlzusCbLh6befA7DC0e/6/atHdj0ZRg09Iuw/0+eVbNoIKogYovE2QGEWB3mmyhWb5HOLKyJT9z4g7TkYwx+jAySZbisJvNMxr1rNpecKNw5LmA3VY5b89aekb2/0FOi0JF8fHtkUPYy7foDxxzdFTdye+S3gRlqfGha9eErF9w7tip7AaA6lEc+z8R4o/jU5ijC90gSpuekSnBM89JVjmGsTQ+HTwdaUz1sctG+HsZ2+M/dIH3+tCHCQQQ2B
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Mar 2018 17:10:15.9556
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0876adbc-f699-4b69-d3d2-08d58dbc4918
X-MS-Exchange-CrossTenant-Id: c8dbffea-61ec-4035-828b-91d8509afb8a
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR0801MB2150
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.9645871
X-MS-Exchange-Processed-By-BccFoldering: 15.20.0588.000
X-Microsoft-Exchange-Diagnostics:
      1;CO2PR0801MB2149;9:VUBCaJJjUrB5AUWYEWSlU6hAtLqR1nwSxvsbMxnzoaHPEQzlleVgF558//IUkvJyRz3fTeCUkBT0KqHCPHNx9h7ih6crAUyoINrYC4Qk0Ul1D9H2YPKO0tImmOFYpiJw
X-Microsoft-Antispam-Message-Info:
      oMrTdeRYgjdct3DQYA7tOVXjktcflP0l7hyboEo1GmCEGxpgocPjDbeptIgh/V0nnh9R/LR0sCxpJmLEn5JeVyWf5FQe3L9LJGAn+pTM8mgMQ7oU2BoTZ0JmNIJbgcsvktmILuBB7FsO0rPFIUqlPMBaN34ZCQ4r6XfFb+Wg9JGjavMR/+pEVc/uXaPhTsPGzsbqlJW371uy9zh1BN69VUc57Y1zY+tbB1JinJ4dqtZwpGi812S/1m+vyuy53pITN1Por+AQop6RZ0hNLjnxFMrQU4bkNmQhG6qkjey5eTJLLAas7Ql4UGOCh9/df/+WZbF8DLEbV/vHB3JozA63mLqYLvB7nN3CougHbTgxDqzteYybUEd57mrgTpfl/2PI1H9miSqXyhAkl39lSPHoah7tvl00MvqKYpBDX6QrFRserldWm55EqPymT0Gyeuep
X-Microsoft-Exchange-Diagnostics:
      1;CO2PR0801MB2149;27:oOE0FaGgOC1OZyUEVaEl3uPzhtZ+t+sGaRlteiV4afQ7NpnTFlkDvzD3WvpqbLlPsSoCPZTisRJoja9KlBr7E341VDBJGdl5ijvj/xa5Rwb3ePFHeO1iggiYSo20rM9y
HardwareDudeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
It is more likely the customer's computer is infected than that the password was guessed. Change the password anyway and then scan this problem computer with the user's AV application, followed with a scan with Malwarebytes.

If the infection is serious, backup, format and re-install Windows may be necessary.
0
HardwareDudeAuthor Commented:
Did you read the email headers? It looks like it really came from office 365 servers. Vipre and Malwarebytes scans yielded 0 infections.
0
JohnBusiness Consultant (Owner)Commented:
A virus can emulate an email sender - that happens. That is why I suggested the computer has a virus.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Fred MarshallPrincipalCommented:
(I don't particularly want to parse the very cryptic email just to save you some work.  Just saying....  Maybe some filtering and identification of the sender's address, etc. would help.)

It seems to me that fake emails arrive frequently enough with the ACTUAL source not being what appears to be.
Can you eliminate that possibility?
It doesn't take a virus on the sender's computer to fake his/her address from somewhere else.
1
HardwareDudeAuthor Commented:
Fred- good point- I clarified the post
He is Customer Lastname, his email adress is customer01@lastname.com
I am Supplier  and my email adress is supplier@supplier01tech.net
0
CompProbSolvCommented:
I've wondered about this same sort of thing, too.  When I get bogus emails with a client's name, it's usually pretty obvious in the header that it didn't come from that person.  I don't recall exactly where I've seen it in the header, but it's always been clear.  That not the case here.  Other than the message I've listed below, the rest looks OK (though I'm not an expert on this).

There's one very interesting message in the header: "Received-SPF: PermError (protection.outlook.com: domain of lastname.com used an invalid SPF mechanism)".

Did you have the client check to see if this message is in his Sent Mail?  That should give you a good clue if it really was sent from there.  If it shows up, then you know it was sent from his account either by a virus on his computer sending while he was logged in or by someone guessing his password (far less likely).  If it's not in Sent Mail, it probably didn't come from his account.  The sender could have deleted it, but I'd bet not.
0
David Johnson, CD, MVPOwnerCommented:
did a lookup of the senders ip address and it was from a server hosted by Quadranet 104.129.18.203.  The users machine may be infected or he was spoofed by a spearfishing message and has lost control of his office365 account (change password)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Header says sender's system was probably compromised. They clicked on a bad link or opened a bad attachment.

Time to wipe & reload.

Two Factor Authentication (2FA) should be _mandatory_ for all O365 accounts. It's included and free and par for Microsoft's recommended Best Practices for quite a while now.
_
0
HardwareDudeAuthor Commented:
Scary- when people sent him a message back, they would receive another follow up message with the text:
"yes you can open it". Several recipients reported this.
I found 1 message saying that in his "sent items". All other sent items pertaining to "FW: Completed: Please DocuSign: <<company name>> have been deleted, and not by me or my customer. On the plus side, it has been quiet since we changed the password.
Thank you for your help everyone.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Anything that has been deleted should be able to be recovered via the Recover Deleted Items dialogue in Outlook or via OWA.
0
DonNetwork AdministratorCommented:
Looks to me that there is an SPF issue

Received-SPF: PermError (protection.outlook.com: domain of lastname.com used an
  invalid SPF mechanism)
0
HardwareDudeAuthor Commented:
Thank you for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.