They're all really obvious, but I'm not sure how they're coming in. They typically look like this:
Dear user name,
You have successfully updated the password of your domain account.
If you did not authorize this change or if you need assistance with your account, please contact domain customer service at: administrator@domain
Thank you for using domain!
The domain Support Team
+++ Attachment: No Virus (Clean)
+++ domain Antivirus - www.*domain*.com
We also receive ones that are slightly different, and all have attachments (likely virus/worm)
Where are these coming from?