A user received four emails this morning, not filtered out as spam from support@<mydomain>.com but the reply to is something else, ie spoofed.
This e-mail was send by <My domain>.com to notify you that we have temporanly prevented access to your account.
We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.
(C) <My domain>.com"
With a zip file.
Any one who can felt me adjust my spam rules to block these type of emails would be appreciated.