I have my business email on GMail. I use 2-factor authentication for access to said business email. I access my business email from 2 computers and 1 mobile Android device. I do not use Outlook or any email client I access it solely through the web browser. I run Webroot AV on both computers and have run MalwareBytes, Hitman Pro and Sophos Virus Removal tool with 0 hits on all.
Yesterday, spoofed emails of my business email account originating from all over the world were sent out to my customers with an attached, password protected file that was a virus. In itself this is not unusual, however, each of the emails was a actual reply from a valid email I had received previously. I immediately looked at my google account settings and verified 2-factor auth, I looked at the devices that were using my email and could verify each one. I could find no proof that someone had gained access to my email other than myself.
Does anyone have any suggestions on where I should look for this breach? I am at a loss and dreading a second round of emails going out.