"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
The most common reason for this problem is the confusion between a message's From: header and its SMTP envelope-from value (and, in different circumstances, its To: header and SMTP envelope-to value). While the value in the From: header is displayed in email clients (such as Microsoft Outlook), it is the SMTP envelope-from value that PureMessage checks against entries in the Whitelisted Senders and Blacklisted Senders lists.
Because the SMTP envelope values are derived from information gathered by the servers that relay the message, they are more reliable than From: and To: headers, which can be easily forged by the person who sends the message. There are both legitimate reasons (such as mailing lists) and illegitimate reasons (address forgery) why the contents of the SMTP envelope-from and From: header sometimes do not match.
To view the SMTP envelope-from of a message, select the message in the PureMessage quarantine, and then view the contents of the Envelope From field on the Quarantine Info tab. Use the message's SMTP envelope-from value to update the Whitelisted Senders or Blacklisted Senders list.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.