You are advised to check with the user in question to confirm this and provide the email they responded to so that detection measures can be added.
Before we can re-enable the user account, you need to provide the following information in your support case:
- Confirmation of a detailed virus scan of all machines on your network.
- Whether any machines were found to be infected.
- If any machines were infected, how they were cleared of infection.
- Confirmation of whether the user in question responded to an email with their user credentials.
- Whether they followed a link requesting their user credentials.
- If you answered 'no' to questions 2, 3, 4, and 5, you should confirm how the user was compromised.
- Information about whether the user's password has been changed and if it is a strong password.
- Confirmation that the user cannot reuse any of their previously used passwords.
- Whether the user has been educated not to reply to emails asking for usernames and passwords.
- Information about whether other users have responded to similar emails.
- Actions being taken to prevent further compromised accounts.
- Provide a copy of the phishing email received by the user for detection purposes.
- Confirmation that you have read the best practice guidelines for webmail security.