Comment by herewego

I have dealt with a similar situation, in a sense more than once, and my strategy was to first integrate the identified risk into my model and then compare it against my own risk profile. If the risk was above a threshold (simplifying), I take an offensive posture in cases like these.

For example, in this case, I would minimally identify and locate the individual responsible for the email. I think that is doable.