I manage our IT at my organization using O365. One of our users recently received an email from the address support@< domain >. I have not created this email address in our domain. Got on with Microsoft support and they did a message trace on it that showed the return path also was support@< domain >. They said this showed that someone was able to create email address within the domain. I am concerned about what this means and what access this person might have. Is it possible to spoof a return path?
We have MFA enabled for all users. We have SPF enabled and I'm now working on DMARC and DKIM. I've reset everyone's passwords.
What else can I do to protect against this? What can I do to ensure that there is no current unauthorized access to our domain?
Thanks very much.