[BreachExchange] Phishing incident gets Oregon.gov emails blacklisted by Microsoft, again

Destry Winant destry at riskbasedsecurity.com
Fri Mar 29 09:00:31 EDT 2019


Oregon state government employees on Tuesday regained the ability to
email people with certain email suffixes after a state employee fell
victim to a phishing attack that briefly resulted in the state being
blacklisted by email services offered by Microsoft.

According to an internal memo sent to agency directors by state Chief
Information Officer Terrence Woods last week, state employees had lost
the ability to send emails to Microsoft-operated email addresses,
including those ending in outlook.com, msn.com, hotmail.com and

It was at least the third time in 12 months that a compromised email
account has affected email service in the state government and
resulted in employees not being able to communicate with Microsoft
users. A similar incident occurred last month, according to Woods’
memo, and another last June.

“Once again, this has negatively affected the state’s sender
reputation score – a score that shows how mailbox providers view our
IP address,” Woods wrote in his memo.

After a state employee clicked on a link in a phishing email, an
outside actor was able to launch a spam campaign from the employee’s
account, according to The Oregonian. In last year’s breach, the
attacker sent more than eight million emails using the government
account before the state regained control.

Though some Oregon agencies operate on a shared email service, others,
such as the Department of State Lands, operate their own. Woods
recommended agencies operating their own email services implement
two-factor authentication and disable access to Outlook Web Access,
Microsoft’s web-based email client.

The state has not disclosed the agency responsible for the latest blacklisting.

After working with Microsoft, a department spokesperson confirmed to
StateScoop that the state’s reputation score has been restored.

Woods was not available to comment for this story.

More information about the BreachExchange mailing list