State-sponsored hackers have used a zero-day vulnerability to hijack a small number of high-profile email accounts at Estonian email provider Mail.ee.
The attacks took place last year and the vulnerability in Mail.ee's service has been fixed, the Estonian Internal Security Service (KaPo) said in an end-of-year report published this month.
"This vulnerability was only exploited [against] a small number of email accounts belonging to persons of interest to a foreign country," KaPo said, without naming the victims.
The agency said the attacks took place with the help of malicious code hidden in emails sent to Mail.ee recipients.
The code executed when the user opened the email in the Mail.ee web portal. No user interaction was needed beyond opening the email.
The malicious code would automate actions against the user's Mail.ee web portal and enable and set up email forwarding.
"From the moment the email with the malicious code was opened, all of the emails sent to the target were redirected to an email account controlled by the attacker," KaPo said.
The Estonian intelligence agency said the attacks were highly targeted against "a small number of email accounts belonging to persons of interest to a foreign country."
"The general public and users of mail.ee need not worry," KaPo said.
The same report also touched on other 2019 attacks that targeted businesses and individuals in Estonia. These included spear-phishing operations orchestrated by other state-sponsored groups, such as Gamaredon (suspected Russian threat actor) and Silent Librarian (suspected Iranian threat actor).
"We know from experience that businesses and research institutions are often unaware that their data could be of interest to foreign intelligence services working in the economic interests of their country," it added.
In the cases of companies that might be the target of foreign hackers, KaPo is recommending a series of steps for choosing an adequate email provider that includes a series of basic security features and privacy protections. These include:
The KaPo report is available for download in PDF format from here.