October 29, 2025 – Incline Village, NV
A new wave of phishing messages appears to be originating from the State of Nevada’s official Outlook system, just weeks after the August ransomware attack that crippled state websites and forced widespread password resets across government agencies.

On Tuesday, October 28, a message was distributed bearing all the hallmarks of an internal government communication — complete with verified Outlook headers, valid SPF, DKIM, and DMARC authentication, and the official state domain finance.nv.gov. The email, sent under the name Beatriz (Bety) Mena-Ortiz, an Executive Branch Audit Manager with the Governor’s Finance Office, included a Google Drive link and a password labeled “NGFO,” inviting recipients to “review the document below and get back to me at your earliest convenience.”

Despite appearing legitimate, cybersecurity experts note that this message is almost certainly a phishing attempt sent from a compromised state mailbox. The use of an external Google Drive link — rather than Nevada’s secured SharePoint or Teams file-sharing system — is considered a major red flag.

According to the full message headers, the email originated from Microsoft’s Office 365 servers, indicating it passed all standard authentication checks. This means the sender’s credentials or mailbox were likely hijacked during or after the state’s August cyberattack. In that incident, described by Governor Joe Lombardo’s office as a “network security event,” numerous state websites and internal systems were taken offline, with employees ordered to reset passwords and security tokens. Federal agencies including CISA assisted in the recovery.

Cybersecurity professionals have noted that phishing campaigns often follow major data breaches, as attackers reuse stolen credentials or exploit residual trust in official email domains. Bad actors often leverage prior incidents to impersonate state employees and trick recipients into opening malicious files.”

The latest email matches that pattern — clean authentication, official state branding, and a malicious external link disguised as an internal request. The timing, roughly two months after the statewide compromise, suggests attackers retained or resold credentials stolen during the earlier breach.

Recipients are urged not to open the Google Drive file or enter the listed password.

Neither the Internal Audit department or the Information Security Department at the State of Nevada responded to requests for comment.

This latest incident underscores how the August ransomware attack continues to ripple through Nevada’s government networks, raising questions about post-incident containment and the ongoing protection of state email accounts.

The continued use of official Outlook servers to send malicious messages suggests that remediation efforts under Governor Lombardo’s administration may not have fully secured all compromised credentials. Cybersecurity oversight within the executive branch is now likely to face renewed scrutiny.