Spam attack caused the e‑mail breakdown
The email breakdown during last week was due to a hijacked user account. This is explained by Henrik Johansson, who works with system operation at INFRA. The breakdown caused failure when trying to send e-mail externally for five days.
It was a hijacked account that was behind the problems with the email last week. The account had been used to access our internal network so it was possible that from the “inside” use our internal email environment to send spam.
57000 spam was sent out
As many as 57000 external recipients managed to get spam sent to them during the night towards Saturday, before the automatic security system hit. Since an external sender address was used, Microsoft simply considered that our email environment was not suitable to communicate with the outside world, says Henrik Johansson.
“It has happened before that an address within our own domain has been used as a sender for spam mailings, but then the spam protection has only blocked the individual address. The block has only existed until one of our internal administrators has approved that the address may be used again. Since the latch this time was for the entire email system, the necessary action ended up out of our control and we had to contact Microsoft and get them to fix it,” he says.
Apologies from Microsoft
According to the University’s server logs, a test message was sent on Friday 28 July. On the following night, the sharp spam flood was released and caused the protection to stop outbound traffic. Even on Monday night, an attempt was made to send a spam flood. Why it took so long to fix the block, however, Henrik Johansson cannot answer.
“We don't know the reason for it at the moment, but Microsoft has apologised.”
Precaution to prevent new attacks
When the IT Support Incident Coordinator drew attention to the error on Monday morning, he immediately created an incident case, posted information in the department’s incident channel in Teams, contacted operational staff and informed KOM. As it was assessed as a serious disorder, he also informed MSB. After that, IT operations staff called in what had happened and misreported the same day to Microsoft. Then the chain of actions stopped.
“Something went very wrong with Microsoft’s support team as they wanted additional information in writing from the customer, i.e. Mid Sweden University. As you know, we couldn't send an e-mail. Nor did the case manager see comments we wrote in the case via their web interface. Nor did the phone contact have any effect at first. Only after pressure from our account manager was the case escalated and resolved”, says Henrik Johansson.
To prevent a similar attack from happening again, INFRA has now changed the configuration of the email system and fixed the “hole” that was exploited.
Earlier this summer, Umeå University also suffered the same type of spam attack, but the blocking could then be lifted relatively quickly.