I was wondering how a sysadmin would know if the user sending malicious traffic is the real attacker or his account has been hacked ?
(Also probable that the attacker has faked his mac address to user's device)

In any case it must be blocked

@popoca sure but in case of any damage , who is in charge ? That user or there is still some other evidences ?

@popoca +welcome to devrant :)

@R1100 thanks, and depends of who is hacking fault

@R1100 that's a broad question. If you're asking about network level - firewalls do deep packet inspection, tools are so clever they can for example disable a feature in Messanger.
Heuristics are being used for detection of malicious activity.
Faked mac addresses are useless because the traffic goes thru some path and specific network interface is at the other side of the wire. It's easy to track source of that package if you really want to. Not to mention, you don't have proper TCP/IP without real mac.

If network logging is enabled, compare real vs configured situation.

If user's mac is connected via the same port as always, it's most likely the user's fault.
If user's mac is coming through a different physical port [ergo from a different seat in the office] than usually, I'd consider it an attack by someone else.

Making a timeline of usage of both ports would also help.

@mt3o With a spoofed Mac, TCP/IP is possible. Without valid IP address it isn't.

@sbiewald correct. Package will be passed to the right node. My mistake.