Phishing Attack Leaves Oregon State Employees Unable to Email

A phishing attack and a compromised state email account provided the platform for a spam campaign that resulted in state addresses being blacklisted by providers like Outlook, MSN and Hotmail.

by Hillary Borrud, The Oregonian / March 26, 2019
Shutterstock

(TNS) — For the third time in a year, state of Oregon employees are unable to send emails to many people they would otherwise correspond with for work.

The problem originated when an employee’s email account was “compromised,” according to a memorandum sent by the state’s Chief Information Officer Terrence Woods on Thursday.

That allowed an outside party to launch an email spam campaign from the state employee’s account, which in turn caused several email providers to blacklist all email addresses containing the extensions @oregon.gov and @state.or.us.

Providers that blacklisted state emails include Outlook, MSN and Hotmail.

“We experienced the same email reputation issue just last month,” Woods wrote.

Similarly, the state’s @oregon.gov email extension was blacklisted by email providers in June, after a state employee clicked on a phishing email and a malicious party was able to send out more than eight million spam emails from the account.

The February and March email breaches impacted the Department of State Lands, which manages its own email system, and the March incident also involved the Department of Energy, which uses centralized state technology services, Department of Administrative Services spokeswoman Liz Craig wrote in an email Monday morning. Craig was unable to say by the end of the business day which agency was involved in the June email incident.

Each time the state email system is compromised, the government must work to rebuild the reputation of its email accounts with providers so they will once again accept state emails.

“We believe the issue is resolved, but I am waiting on the official all clear from our IT staff (likely today or tomorrow),” Craig wrote. “In the meantime, employees will have to use other modes of communication (phone) with people who use these email domains and who cannot provide an alternate email address.”

Employees whose emails did not reach their intended contacts will know, because they will receive a bounce-back notification.

Although many state agencies use centralized information technology services from the Department of Administrative Services, some also run their own technology operations. Woods wrote that the state’s centralized technology office “highly recommends that agencies that manage their own email systems require two-factor authentication, limit the use of (Outlook Web Access), or simply not use (Outlook Web Access).”

“In addition, the (centralized technology office) is working with agency email administrators with email-hardening guidelines and real-time phishing scam information,” Woods wrote.

Craig wrote in an email that the centralized technology office “has published an information security awareness video series” that every agency is required to use to educate state employees on email security. Employees at most state agencies are required to go through annual information security trainings, and the state sends out updated “security awareness” materials to them on a quarterly basis.

©2019 The Oregonian (Portland, Ore.). Distributed by Tribune Content Agency, LLC.

 

Platforms & Programs