Comment by deckar01

Edit: The attacker didn’t actually know my email address. The google domain had a catch all email forwarding config that squarespace botched. Apparently they can spoof emails from my domain on a mailgun server as long as it’s to an email address on my domain.