san.com straightarrownews Sep 08, 2025 at 06:20 PM GMT+2
Mikael Thalen (Tech Reporter)
Summary
Sensitive data leaked
More than 2,000 files linked to former U.K. Prime Minister Boris Johnson were stolen by hackers and leaked online.
‘Devastating’ breach
Cybersecurity experts describe the leak as a serious exposure of data belonging to a world leader.
‘High-priority target’
A former U.K. official says the breach could be related to an influence campaign by a foreign adversary.
Full story
Leaked computer files tied to former U.K. Prime Minister Boris Johnson offer an unprecedented glimpse into a scandal over COVID-19 protocols, his response to the Ukraine war and his private views on world leaders, including Russian President Vladimir Putin. The hack also found documents pitching a reality television show.
Taken together, the files paint an intimate portrait of the former politician’s day-to-day activities, including during his time as prime minister from 2019 to 2022.
Straight Arrow News obtained the more than 2,000 files from the nonprofit leak archiver DDoSecrets. Unidentified hackers quietly posted the data online last year, according to DDoSecrets co-founder Emma Best, but it has not been previously reported.
SAN sent an inquiry to Johnson’s office, where the data appears to have originated, as well as to Johnson’s personal email address, but did not receive a reply.
Little is known about the details surrounding the breach and those responsible. But cybersecurity experts describe the data leak as a serious exposure of information in the hands of a world leader.
“It’s obviously a devastating compromise if personal emails, documents and the like have been collected and breached,” Shashank Joshi, visiting fellow at the Department of War Studies at King’s College London, told SAN.
World leaders are regularly targeted by both criminal and nation-state hackers. In 2020, according to researchers at Citizen Lab, the University of Toronto-based group that specializes in spyware detection, multiple phones at Johnson’s office and the foreign office were compromised.
That attack, which Citizen Lab linked to the United Arab Emirates, was carried out with the advanced Israeli-made spyware known as Pegasus. Both the UAE and NSO Group, the company behind the spyware, denied involvement.
Rob Pritchard, the former deputy head of the U.K.’s Cyber Security Operations Centre and founder of the consulting firm The Cyber Security Expert, told SAN that it is entirely possible that the hack of Johnson could be tied to an influence operation from a foreign adversary.
“I think this really highlights the importance of ensuring good practices when it comes to cybersecurity, especially for high-profile individuals,” Pritchard said. “Ex-prime ministers will undoubtedly still be very high-priority targets for a range of countries, and their private office will hold sensitive information, if not actually classified information in the strict sense.”
‘Security briefing: Nuclear’
A folder titled “Travel” underscores the hack’s intrusiveness.
It includes photos of Johnson’s passport and driver’s license, as well as his visa information for Australia, Canada, Kurdistan, Saudi Arabia and the U.S. Identifying documents for family and staff are also present.
Itineraries outlining visits to numerous countries offer insight into Johnson’s routine. One U.S. visit, which does not include a date but appears to have been during President Donald Trump’s first term, shows efforts by Johnson to meet prominent politicians, such as Sen. Ted Cruz, R-Texas, former National Security Adviser John Bolton, former United Nations Ambassador Nikki Haley and Florida Gov. Ron DeSantis.
Other itineraries, including one for a November 2023 visit to Israel, mention Johnson’s security measures. The document states that although Johnson did not bring a protection force of his own, “4 Israeli private security agents” would look after his group while “on the ground.”
Documents related to a November 2022 visit to Egypt show the names and phone numbers of two individuals tasked with protecting Johnson while in the city of Sharm El-Sheikh. The travel folder also contains documents related to VIP suite bookings at London Gatwick Airport and COVID-19 vaccination records for those traveling with Johnson.
Another folder called “Speeches” contains dozens of notes and transcripts for talks by Johnson both during and after his tenure. Invoices show how much Johnson charged for several speaking engagements in 2024 after leaving office, including $350,000 for a speech to Masdar, a clean energy company in the UAE. After deductions, however, Johnson appears to have pocketed $94,459.08.
The usernames, passwords, phone numbers and email addresses used for Johnson’s accounts on Facebook, Instagram, Twitter, LinkedIn, Snapchat and Threads are exposed as well in a file marked “confidential.”
Another folder, labeled “DIARY,” includes Johnson’s daily schedules, marked as both “sensitive” and “confidential,” during his time as prime minister. One schedule from July 2019 simply states, “Security briefing: Nuclear.” Another entry from that month: “Telephone call with the President of the United States of America, Donald Trump.”
‘Partygate’
A folder titled “Notebooks” includes scans of hundreds of pages of Johnson’s handwritten notes. Many sections have been redacted with “National Security” warnings.
SAN confirmed that the documents are related to the U.K.’s independent public inquiry into the COVID-19 pandemic, which required Johnson to hand over copies of his diaries and notebooks. Although many of the documents related to the inquiry were made public, those obtained by SAN were not.
The investigation found that Johnson attended numerous social gatherings during the pandemic in breach of COVID-19 lockdown regulations. The ensuing scandal, known as “Partygate,” ultimately led to Johnson’s resignation.
In one notebook entry dated March 19, 2020, Johnson writes that “some very difficult rationing decisions” would be required because of the pandemic’s strain on the U.K.’s medical system.
Another entry regarding the 2021 G7 summit in Cornwall, England, highlights the issues Johnson planned to discuss with numerous world leaders, including former President Joe Biden, French President Emmanuel Macron and former German Chancellor Angela Merkel.
‘It would only take one missile’
The data cache contains 160 emails from the first 22 months following Johnson’s tenure as prime minister. They appear to have come from the account of Johnson’s senior adviser.
These emails discuss Johnson’s private endeavors, including a document pitching a reality TV show to popular streaming platforms, complete with AI-generated photos of the former world leader.
One of the later emails contained in the breach, dated June 10, 2024, shows attempts by the U.K.’s National Security Secretariat to schedule a meeting with Johnson regarding “a sensitive security issue” almost two years after he left office.
The email, sent on behalf of Deputy National Security Adviser Matt Collins, noted a “strong preference” for an in-person meeting with the former prime minister. It’s unclear what spurred the meeting request and whether it was related to the breach.
The final folder from the leaked data involves the Russian invasion of Ukraine.
Notes on a widely reported phone call between Johnson and Russian President Vladimir Putin from February 2022 offer insight into the former prime minister’s thinking. The conversation is described by Johnson, who makes specific mention of Putin’s use of profanity, as “weirdly intimate in tone.”
Johnson also claims that Putin said, “I don’t want to hurt you boris but it would only take one missile.”
Johnson later revealed the threat in a 2023 documentary by the BBC. A Kremlin spokesperson responded by calling the claim a “lie.”
In another entry dated “25 October,” Johnson reminds himself to “call Putin” with an invite to a United Nations Climate Change Conference. Johnson notes that such events are “not really his bag since it is all about moving beyond hydrocarbons and he is paranoid about covid.”
The leak also contains a U.K. Defense Intelligence document dated December 2022 regarding the status of a nuclear power plant in Ukraine. The document includes numerous classification labels, such as sensitive, which denotes that it is not intended for public release. Other markings show that the document may only be shared with international partners in the European Union, NATO, Australia and New Zealand.
The U.K.’s Cabinet Office, which supports the prime minister, did not provide a statement when contacted by SAN.
Alan Judd (Content Editor) and Devin Pavlou (Digital Producer) contributed to this report.
Microsoft Community Hub - techcommunity.microsoft.com - Aug 20, 2025
We are announcing that all Exchange Online customers who send external email should start switching to custom (aka vanity) domain names.
MOERA domains for email
When a organization creates a new tenant in Microsoft 365, an onmicrosoft.com domain (or similar default domain like onmicrosoft.de) is provided. These MOERA (Microsoft Online Email Routing Address) domains enable immediate connectivity and user creation. Having enabled a quick start and testing of a new tenant, customers are expected to add their own custom domains for better brand representation and control moving forward. Customers who continue using MOERA domains as their “primary domain” may face significant challenges.
Limitations of free ‘onmicrosoft’ shared domains
These “default” domains are useful for testing mail flow but are not suitable for regular messaging. They do not reflect a customer’s brand identity and offer limited administrative control. Moreover, because these domains all share the ‘onmicrosoft’ domain (for example, ‘contoso.onmicrosoft.com’), their reputation is collectively impacted. Despite our efforts to minimize abuse, spammers often exploit newly created tenants to send bursts of spam from ‘.onmicrosoft.com’ addresses before we can intervene. This degrades this shared domain’s reputation, affecting all legitimate users. To ensure brand trust and email deliverability, organizations should establish and use their own custom domains for sending email. Until now, we did not have any limits on use of MOERA domains for email delivery.
Introducing new throttling enforcement
To prevent misuse and help improve deliverability of customer email by encouraging best practices, we are changing our policy. In the future, MOERA domains should only be used for testing purposes, not regular email sending. We will be introducing throttling to limit messages sent from onmicrosoft.com domains to 100 external recipients per organization per 24 hour rolling window. Inbound messages won't be affected. External recipients are counted after the expansion of any of the original recipients. When a sender hits the throttling limit, they will receive NDRs with the code 550 5.7.236 for any attempts to send to external recipients while the tenant is throttled.
Customer actions
Customers will need to take actions depending on their use of their MOERA domain.
Purchase and migrate to a custom domain if not already done.
Ensure only custom domains are used for sending non-test emails.
If your tenant's default domain is a MOERA domain, set the default domain to a custom domain. This can be done in the Microsoft 365 admin center.
Mailboxes will need to have their primary SMTP addresses changed to the custom domain alias. Changing the primary SMTP address will have an impact on the username used to log into accounts so updates may need to be made to any credentials configured to authenticate devices or applications with users’ accounts.
Note: Customers with Federated Domains will have to add a non-Federated custom domain in Microsoft 365 to act as a default domain, as Federated domains cannot play that role. Learn more here: AD FS Overview.
Purchasing a domain
A domain registrar is a company authorized to sell and manage domain names. To purchase a domain, you typically visit a registrar’s website, search for an available domain name, and follow the checkout process to register it in your name. Once purchased, you can manage DNS settings through the registrar’s portal to validate your ownership when adding it to Exchange Online as an accepted domain. Once purchased, you can use the following instructions to add it to your tenant as an accepted domain – documentation.
Adding new aliases to existing mailboxes
To migrate users over to using a new custom domain, admins will need to add aliases to each user account for the new custom domain. These new aliases will need to be set as the Primary SMTP Address on the mailbox so that it is used for sending out emails. Users at organizations who make use of the Sending from Aliases feature will need to ensure that the correct alias is selected when they reply to emails addressed to their MOERA alias.
Known MOERA domain usage scenarios
Besides regular email client sending when a MOERA domain is a primary SMTP address, these are some of the known usage scenarios customers should be aware of:
Sender Rewriting Scheme may use MOERA domains as fallback if it is set as the default domain. Customers will need to change their default domains to avoid this. (Sender Rewriting Scheme (SRS) in Microsoft 365).
Bookings app invites may be configured to send from MOERA domains. Customers will need to ensure Bookings is configured to use their custom domain. (Custom domain support in Shared Bookings).
Notifications from Microsoft should be set up to use a custom domain. (Select the domain to use for email from Microsoft 365 products).
Journaling Reports use the Microsoft Exchange Recipient address set for tenants (MicrosoftExchangeRecipientPrimarySmtpAddress in Get-OrganizationConfig). This address cannot be modified by admins and therefore these messages will not count towards the throttling limit.
Hybrid configurations with complex routing make use of MOERA domains containing mail.onmicrosoft.com. It is possible that addresses using these domains could send emails to external recipients e.g. OOF messages when Sending from Aliases is enabled. These messages will not be throttling so long as these domains are not used for original traffic.
Analyzing your MOERA email traffic
You can use the Message Trace feature in Exchange Admin Center to retrieve the outbound traffic being sent from your tenant. By placing a wild card address in the Senders field, you can get a report with all traffic using your onmicrosoft.com domain to send. Note that this report would contain messages sent internally as well, but those can be filtered out of the resulting report by using the recipient domain.
Rollout timeline
The throttling rollout will be based on the number of Exchange seats in an organization:
MOERA outgoing email throttling starts
Exchange seats in the tenant
October 15, 2025
Trial
December 1, 2025
< 3
January 7, 2026
3 – 10
February 2, 2026
11 – 50
March 2, 2026
51 – 200
April 1, 2026
201 – 2,000
May 4, 2026
2,001 – 10,000
June 1, 2026
10,001 >
Announcements for each stage of the rollout will be made one month before via Message Center to all customers meeting the seat count criteria. All customers who are using their MOERA domains are encouraged to start planning and migrating today.
WASHINGTON, June 30 (Reuters) - Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 U.S. election.
In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.
La Sûreté de l'État est touchée par un grave incident de sécurité. Des pirates chinois ont détourné des courriels pendant deux ans, compromettant potentiellement des données sensibles du personnel.
In a rather novel attack chain, attackers deploy a custom-made emulated QEMU Linux box to persist on endpoints, delivered through phishing emails.
Austrian security authorities have identified a Swiss man as the suspect in a series of emails containing bomb threats.
The International Monetary Fund (IMF) recently experienced a cyber incident, which was detected on February 16, 2024.
Guardio Labs uncovers a sprawling campaign of subdomain hijacking, compromising already over 8,000 domains from esteemed brands and institutions, including MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay and others. This malicious activity, dubbed “SubdoMailing”, leverages the trust associated with these domains to circulate spam and malicious phishing emails by the Millions each day, cunningly using their credibility and stolen resources to slip past security measures.
In our detailed analysis, we disclose how we detected this extensive subdomain hijacking effort, its mechanisms, its unprecedented scale and the main threat actor behind it. Furthermore, we developedthe “SubdoMailing” checker — a website designed to empower domain owners to reclaim control over their compromised assets and shield themselves against such pervasive threats. This report not only sheds light on the magnitude of the issue but also serves as a call to action for enhancing domain security against future exploits.
Moscow-backed Cozy Bear may have had access to the green rectangular email cloud for six months
Rep. Don Bacon tweeted Monday that he had been notified by the FBI that his emails had been hacked.
Millions of US military emails have been misdirected to Mali through a “typo leak” that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers.
We introduce UNC3524, a newly discovered suspected espionage threat actor targeting corporate emails.
