One of our users seem to have received a spoof email from another user in our organization. In the "From" field the address is one of our email accounts but it seems suspicious that its really not. What would I look for to verify the real sender in the header?
It will reveal if it was generated from your own systems, or just a spoofed email from some random country.
Use a REAL email from that supposed user to compare. You'll probably see big differences (it means it's probably spoofed). If it look a bit identical, you may be in danger.
You can post the full headers here for us to decode, but if you see some identifying info, you may mark it as something else, as long as it's clear.
If you send 2 email headers to check (one real, and the one for us to investigate), and you see similar IP addresses you don't want to reveal, mark them as %IP_NR_001% (and _002, etc) on BOTH email headers (if they are equal of course).