There seem to have been phishing mails sent from firstname.lastname@example.org. Our security team is investigating this. They seem to be sent as an email confirmation email from our client area. However we can not see them being sent from our servers. We have taken actin in preventing this by setting the SPF record to a hard fail should the email not come from our email server. We also have enforced a captcha on all email sending actions. We are currently investigating this with our software vendor WHMCS.