Earlier this week, investigative journalists at Bellingcat were targeted by a sophisticated phishing attack. As there has been some incorrect reporting about the incident, we are releasing a statement to provide clarification.
On July 24, investigative journalists at Bellingcat, which utilize Proton Mail to secure their communications, were targeted by a sophisticated phishing attack that attempted to steal their credentials to gain access to their Proton Mail accounts. Emails were sent to the targeted users claiming to be from the Proton Mail team, asking the targets to enter their Proton Mail login credentials.
The phishing attack did not succeed because of the vigilance of the targets and certain anti-phishing measures(new window) that Proton Mail has put in place due to the increased security needs of many of our users. A phishing attack targets users of a service and does not directly target the service itself. Some articles have incorrectly claimed that Proton Mail was hacked or compromised, but a phishing attack does not imply a compromise of the service in question.
Proton Mail is unique in that attacking Proton Mail does not necessarily compromise user data, due to our usage of end-to-end encryption(new window) and zero-access encryption(new window). These technologies ensure that any user emails stored on our servers cannot be decrypted by us (or any third party). Generally speaking, only the owner of the mailbox has the ability to decrypt the mailbox. Consequently, the most practical way to obtain email data from a Proton Mail user’s inbox is by compromising the user, as opposed to trying to compromise the service itself. For this reason, the attackers opted for a phishing campaign that targeted the journalists directly.
Attribution of attacks is very difficult to determine. It is well established that Bellingcat is a frequent target of Russian military intelligence due to their prior activities, which have included linking the downing of flight MH17 to Russian forces, and identifying the Russian GRU agents responsible for the nerve agent attack on the Skripals on UK soil. The resources used in this phishing attack (such as the domain registrars and resellers) are also resources that have been used in the past in other cyberattacks conducted by Fancy Bear (also known as APT28), a Russian cyber espionage group which may be affiliated with the GRU. Thus, while it is not conclusively proven, the evidence (along with independent third-party assessments) seem to suggest an attack of Russian origin. A deeper technical analysis of the attack and its links to the Fancy Bear APT(new window) can be found here(new window).
We do know that the attack was highly targeted and specifically went after Bellingcat accounts. We have identified over a dozen fake Proton Mail domains that were registered by the attackers, some of which have not yet been used. The attackers attempted to redirect users to the fake domain mailproton.me, where a fake Proton Mail site was hosted in an attempt to trick the targets into entering their Proton Mail credentials. The fake domains were also registered through a domain registrar that allows anonymous registrations and bitcoin payments to make the attackers harder to track.
Furthermore, the attackers attempted to exploit an unpatched vulnerability in an open source software that is widely used by email providers in an effort to bypass spam and abuse filters. We were previously aware of this vulnerability and have already been watching it for some time, but we will not disclose it here because the software in question is not developed by Proton Mail, and it has not yet been patched by the software maintainers. This vulnerability, however, is not widely known and indicates a higher level of sophistication on the part of the attackers.
Despite the level of sophistication of the attackers, phishing attacks against Proton Mail users generally fail because all official and/or automated emails from Proton Mail are clearly indicated with an Official badge in the Proton Mail inbox, and there is no way for an attacker to spoof this. This means that it is always possible to tell immediately if an email is fake or not.
Immediately after observing the attack, we contacted registrars and webhosts around the world to ensure that all domains used in the attack are promptly suspended. We also worked with the Swiss Federal Police(new window) and MELANI(new window) to block the Swiss domain that was used in this attack. At present, there is not an ongoing law enforcement investigation into the incident, but we are of course conducting our own investigation.
Phishing attacks are the most common type of attack attempted against Proton Mail users. User security is our foremost concern, and we are continually enhancing and improving our detection and prevention systems to combat phishing. You can read this article on how to prevent phishing attacks(new window).
The Proton Mail Team
About Proton Mail
Proton Mail is the world’s largest secure email service. Founded in Geneva in 2014 by scientists who met at the European Centre for Nuclear Research (CERN), Proton Mail protects over 10 million users, including journalists, activists, doctors, lawyers, businesses, and ordinary citizens who want email that is both safer and more private. Because messages are end-to-end encrypted, we cannot read your emails, sell your data to advertisers or compromise the privacy of your communications. Proton Mail is email as it should be — private and secure.
Get a free secure email (new window)account from Proton Mail.
We also provide a free VPN service(new window) to protect your privacy.
Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.
Update July 19, 2023: To avoid confusion, we removed references to Proton’s former anti-phishing measure of starring emails that came from us. While it was true when this article was published, Proton now uses an Official badge to let you know an email is legitimately from us.