Cyber Incident Victim: Oregon government
Date:
Mar 2019
Location:
United States of America
Summary
A phishing attack targeting an Oregon government employee led to the state's email domains being temporarily blacklisted by Microsoft services, disrupting email communications with addresses using outlook.com, msn.com, hotmail.com, and live.com domains. State employees lost the ability to send messages to these platforms until access was restored following internal notifications from state IT leadership addressing the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 26, 2019, a phishing incident disrupted email communications for Oregon state government employees. A state employee fell victim to a phishing attack, triggering Microsoft to blacklist Oregon.gov email addresses. This action blocked all outgoing emails from state accounts to Microsoft-operated services, including domains such as outlook.com, msn.com, hotmail.com, and live.com. The disruption impaired routine communications between state agencies and external stakeholders using these platforms. Internal operations faced immediate challenges due to the inability to transmit messages through Microsoft’s email ecosystem. The incident marked a recurrence of similar blacklisting issues for Oregon government emails, though the article did not specify prior occurrence dates.
State Chief Information Officer Terrence Woods responded by issuing an internal memo to agency directors informing them of the blacklisting and its cause. The memo clarified the phishing attack’s role in triggering Microsoft’s security measures but did not detail the attack’s methodology or the employee’s actions. Restoration efforts succeeded by Tuesday, March 26, reinstating email access to Microsoft-affiliated addresses for state personnel. No additional technical countermeasures or long-term impacts beyond the temporary service interruption were disclosed in the available source material. The resolution reestablished normal communications without further elaboration on preventative steps taken post-incident.