This may be my favorite Krebs article of all time for so many reasons. Not the least of which is that Chipotle has no clue as to why sending emails from a domain YOU DO NOT OWN is a bad thing... or that a $3.5 billion (with a B!!!) company just hired its first CIO LAST MONTH!
Take a read.
http://krebsonsecurity.com/2015/11/chipotle-serves-up-chips-guac-hr-email/