Spear phishing is a common way that attackers get into organizations. Sometimes, when attempting to spear phish an organization, an attacker will spoof one of the targeted organization's email addresses to make the spear phishing message look more legitimate. Mail protocols aren't great at prohibiting this, and thus, it's a fairly successful technique.
A simple analytical method to monitor for this is to watch mail logs or a PCAP solution for "From" addresses claiming to be from within your organization, but from mail gateway IP addresses or sender IP addresses that are outside of your organization. The data resulting from this is quite fascinating. Have a look!