---
title: "Email Security Breach at the FBI: How Threat Actors Got Access to the FBI’s Mail Servers | DuoCircle"
description: "Malicious actors reportedly attacked the Federal Bureau of Investigation (FBI) mail system Saturday (November 13, 2021) morning."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/email-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers/"
---

Quick Answer

On November 13, 2021, attackers used a misconfiguration in the FBI's Law Enforcement Enterprise Portal (LEEP) to send roughly 100,000 spam messages from a legitimate FBI address (153.31.119.142, mx-east-ic.fbi.gov) warning recipients of a fake cybercrime investigation. Because the headers were genuine and the messages came from real FBI infrastructure, recipient providers and security tools couldn't filter them as spoofed, and security operations teams fielded a wave of calls. The actor, going by Pompompurin, told Krebs On Security that an unsafe script in the portal allowed the subject and body to be replaced and the messages auto-sent. The FBI confirmed no personal data or internal infrastructure was compromised: the LEEP server was isolated from corporate email. The incident illustrates that even a non-personal-data breach via misconfiguration can be used for credible spear phishing; with email delivering roughly 92% of malware, organizations should reassess their email security posture even when they assume their existing controls are sufficient.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Femail-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Email%20Security%20Breach%20at%20the%20FBI%3A%20How%20Threat%20Actors%20Got%20Access%20to%20the%20FBI%E2%80%99s%20Mail%20Servers&url=undefined%2Fblog%2Femail-security%2Femail-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Femail-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Femail-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers%2F&title=Email%20Security%20Breach%20at%20the%20FBI%3A%20How%20Threat%20Actors%20Got%20Access%20to%20the%20FBI%E2%80%99s%20Mail%20Servers "Share on Reddit") [ ](mailto:?subject=Email%20Security%20Breach%20at%20the%20FBI%3A%20How%20Threat%20Actors%20Got%20Access%20to%20the%20FBI%E2%80%99s%20Mail%20Servers&body=Check out this article: undefined%2Fblog%2Femail-security%2Femail-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers%2F "Share via Email") 

![Email Security Breach](https://media.mailhop.org/duocircle/images/2021/11/dmarc-report-3476.jpg) 

_Malicious actors reportedly attacked the Federal Bureau of Investigation (FBI) mail system_ Saturday (November 13, 2021) morning, ostensibly as a DHS warning of a [cyberattack](/announcements). The FBI [confirmed](https://www.bleepingcomputer.com/news/security/fbi-system-hacked-to-email-urgent-warning-about-fake-cyberattacks/) that attackers compromised its mail servers and sent out bogus messages. Despite spending [millions to ensure cybersecurity](https://atlasvpn.com/blog/us-government-to-spend-over-18-billion-on-cybersecurity), the _FBI’s network has been compromised_. The attackers could have used the emails for **spear phishing** and [ransomware attacks](/phishing-protection/one-more-reason-to-avoid-a-ransomware-attack/) but instead outlined how recipients avoid cybercrimes. They used a compromised server to send spam, warning that someone could steal their data.

## Email Security Breach On The FBI in Detail

It looks like the _FBI was being used as a pawn in a fight between malicious actors and security researchers_. The Federal Bureau of Investigation’s Cyber and Infrastructure Security Agency (CISA) has confirmed that intruders broke into the FBI’s mail platform and sent fake messages from the system. They sent “at least” **100,000 spam messages** by gaining access to the FBI’s mail server by compromising its [email security](/).

[![Email security](https://media.mailhop.org/duocircle/images/2021/11/spf-record-generator-3541.jpg)](https://media.mailhop.org/duocircle/images/2021/11/spf-record-generator-3541.jpg)

The FBI confirmed that their domain name and internet address, fbi.gov, was used by the perpetrator to blast thousands of fake cybercrime investigation emails. The FBI said that a software misconfiguration temporarily exposed its Law Enforcement Enterprise Portal (LEEP) to malicious actors who used it to send fake emails. The office also noted that _no personal data or information was compromised during the break-in_.

## News And Reactions Surrounding The Email Security Attack Against FBI

The FBI’s email server was compromised to spread spam, imitating the FBI’s warnings that someone had attacked the recipient’s network and stolen data. _Malicious actors used the mail servers of the FBI to send thousands of fake messages_ claiming that their recipients were victims of a “sophisticated chain attack,” thus causing the recipients to panic.

While the intelligence organization ensured that the emails were fake, [a tweet](https://twitter.com/spamhaus/status/1459450061696417792) by Spamhaus noted that the emails caused many inconveniences because the headers were actual and came from the FBI infrastructure. They further added that all emails came from the FBI IP address 153.31.119.142 (mx-east-ic.fbi.gov).

While scammers often pretend they are sending emails from someone else’s address, the metadata of the emails clearly shows that the FBI server sent them in this case, said Alex Grosjean, a researcher at the Spamhaus Project. The fake emails then sparked a spate of calls to **managed security providers**, as Kevin Beaumont, the chief security officer at Arcadia Group, [noted during the weekend](https://twitter.com/GossiTheDog/status/1459573928775540736).

## Who is Behind The Cyberattack on the FBI?

The office said the attackers were sending emails from a legitimate FBI address. An [interview with the person claiming responsibility](https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/) for the prank reveals that he sent the spam messages using an **unsafe code** on the FBI’s online portal for exchanging information with state law enforcement and local authorities. ‘Krebs On Security’ got a similar email. The strange email contained a warning regarding cybersecurity writer [Vinny Troia](https://twitter.com/vinnytroia) and The Dark Overlord’s malicious group. The cybersecurity organization Night Lion published a [study on The Dark Overlord](https://nightlion.com/blog/2021/infographic-thedarkoverlord-shinyhunters/) earlier this year.

[Pompompurin](https://twitter.com/pompompur%5Fin), the attacker, also talked to ‘Krebs On Security’ and claimed that a _simple script could replace parameters with the subject and body of the message and automatically send a fake letter to thousands of email addresses_. Pompompurin continued to tell how he could launch a massive **spam campaign** by manipulating the sender’s address and the body of the letter.

## FBI’s Official Statement

The FBI-controlled server that sent the messages was isolated from the agency’s corporate email. It did not allow access to any personal data or information on the FBI’s network. _The FBI explained that the attackers behind the spam campaign used software settings to send emails_.

The FBI [released a statement](https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails) the next day (November 14, 2021) saying that _the emails were sent by someone who took advantage of a ‘software misconfiguration’_ that affected the Law Enforcement Enterprise Portal (LEEP). The agency uses LEEP to communicate with state law enforcement partners. _The FBI has confirmed that the fake emails were not sent by anyone with access to the FBI’s technology infrastructure_. It was the work of someone abusing a misconfigured web portal, and the incident compromised no personal data or information.

## Previous Mentions of Compromised System of The FBI

In 2015, [cyber activists said](https://www.nextgov.com/cybersecurity/2015/11/you-only-need-one-password-access-allegedly-hacked-law-enforcement-databases/123537/) they could break into the system after discovering that only one password was required to access various national security systems and law enforcement agencies. Therefore, the question arises why the FBI didn’t take **preventive measures** at the time. Regardless of who briefly took possession of the FBI email on the 13th, the entire incident left cybersecurity professionals and law enforcement officials wondering why the one behind the incident did not use their FBI email access to send more malicious and [spear-phishing emails](/content/spear-phishing-protection). For example, they could have sent legitimate-looking emails with **malware or ransomware** attachments that compromised trusted FBI partners.

## Final Words

[![phishing protection](https://media.mailhop.org/duocircle/images/2021/11/spf-permerror-3695.jpg)](https://media.mailhop.org/duocircle/images/2021/11/spf-permerror-3695.jpg)

Around **92% of malware** comes [through emails](https://purplesec.us/resources/cyber-security-statistics/). Today, **ransomware protection** and [phishing protection](/email/phishing-protection) have become imperative due to the rise in [email security](/) breaches. When one of the most secure global organizations becomes a victim of an email breach and server compromise, you need to _reevaluate your organization’s [email security posture](/email-security/misdirected-emails-risks-they-can-pose-to-an-organizations-email-security-posture/) as well and adopt relevant measures_ if they haven’t been adopted already.

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 8m  BIMI in 2026: What the Certificate Authority Does, and What Your DMARC Tool Does  May 5, 2026 ](/blog/bimi-2026-what-the-ca-does-what-your-dmarc-tool-does/)[  Email Security 8m  Designing A Custom Dkim Architecture For High-Volume Email Senders  Apr 28, 2026 ](/blog/designing-custom-dkim-architecture-for-high-volume-email-senders/)[  Email Security 12m  DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice  Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/)[  Email Security 5m  Email Monitoring Tools: A Complete Guide to Protecting Your Email Ecosystem  May 7, 2026 ](/blog/email-monitoring-tools-guide-protecting-your-email-ecosystem-security/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Email Security Breach at the FBI: How Threat Actors Got Access to the FBI’s Mail Servers","description":"Malicious actors reportedly attacked the Federal Bureau of Investigation (FBI) mail system Saturday (November 13, 2021) morning.","url":"https://www.duocircle.com/blog/email-security/email-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers/","datePublished":"2021-11-27T16:42:29.000Z","dateModified":"2025-05-23T12:25:24.000Z","dateCreated":"2021-11-27T16:42:29.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/email-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers/"},"articleSection":"email-security","keywords":"","wordCount":868,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2021/11/dmarc-report-3476.jpg","caption":"Email Security Breach","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Email Security Breach at the FBI: How Threat Actors Got Access to the FBI’s Mail Servers","item":"https://www.duocircle.com/blog/email-security/email-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Email Security Breach at the FBI: How Threat Actors Got Access to the FBI’s Mail Servers","item":"https://www.duocircle.com/blog/email-security/email-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Email Security Breach at the FBI: How Threat Actors Got Access to the FBI’s Mail Servers","description":"Malicious actors reportedly attacked the Federal Bureau of Investigation (FBI) mail system Saturday (November 13, 2021) morning.","url":"https://www.duocircle.com/blog/email-security/email-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers/","datePublished":"2021-11-27T16:42:29.000Z","dateModified":"2025-05-23T12:25:24.000Z","dateCreated":"2021-11-27T16:42:29.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/email-security-breach-at-the-fbi-how-threat-actors-got-access-to-the-fbis-mail-servers/"},"articleSection":"email-security","keywords":"","wordCount":868,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2021/11/dmarc-report-3476.jpg","caption":"Email Security Breach","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```
