This alert is generated when the sender is impersonating (or spoofing) a trusted identity.
A sender can impersonate a trusted Identity by either mimicking the friendly name or the exact 'from' address used by the trusted sender.
When the sender impersonates the friendly name then the 'from' address is different from the 'from' address of the trusted identity being spoofed.
When the sender impersonates the 'from' address exactly then the 'from' address is exactly the same as the 'from' address of the trusted identity being spoofed.
This may create difficulty in determining whether the alert is a false positive or legit.
To know this for sure the header of the email should be examined. If it is a spoofed email then the 'SPF' attribute in the header will look like the following.
Received-SPF: softfail (google.com: domain of transitioning email@example.com does not designate 126.96.36.199 as permitted sender) client-ip=188.8.131.52;
The value of Received-SPF will either be softfail or fail.
In certain circumstances, automated processes sends emails on behalf of other users. In doing so they use the exact 'from' address of the user. Now, if the IP address from where this automated process is sending an email is not included in the SPF record of the domain then the SPF value of such an email when received by the recipient will be either softfail or fail.
The fix of this problem is to ensure that the IP address from where the automated processes are sending emails is properly included in the SPF record of the domain.