That’s what we in the cybersec business call an “oopsie daisy I made a little fucky-wucky”.

For real though, this isn’t a problem yet. The TL;DR is that Mali has a top-level domain “.ml”. Just like “.co.uk” for the UK. And the military uses the domain “.mil”.

So lots of emails accidentally get sent to “[Military email]@[Military email server].ml” instead of sending to .mil. So a bad actor could simply set up an e-mail server with .ml domains that mirror the military’s .mil ones, and start collecting all of those mis-addressed emails.

So why isn’t it an issue yet? Because a Dutch contractor had a contract with Mali to manage their domain. They literally signed administrative rights for the .ml domain over to that Dutch contractor. And that contractor was the one who originally noticed the issue, since he saw lots of emails failing to deliver to sites like army.ml and navy.ml. He set up some quick domains to capture said emails, but it was quickly overwhelmed by the sheer volume; He’s received over a hundred thousand since January. But that contract ends this week, so Mali could 100% start registering their own domains when that contract expires and current domain registrations begin expiring.

Why am I not shocked? I hope that Microsoft gets heavily punished for this.