Over 100,000 U.S. military emails have been misdirected to Mali this year due to a spelling mistake that sent emails to .ML instead of .MIL addresses. The emails contain sensitive information about personnel, travel plans, and financial records. While not classified, the data could provide intelligence value if exploited. Control of the .ML domain is transferring to the Malian government which has ties to Russia, raising concerns the misdirected emails could be used to their advantage. The Pentagon says it is aware of the issue and blocking emails from leaving the .MIL domain, but mistakes still happen.
That’s only for emails sent from the .mil domain. Emails sent from other domains don’t have the same filters in place. The issue is that plenty of other domains are attempting to send emails to the .mil domain and are actually sending to the .ml domain. The article only confirms a filter is in place for .mil users, so it’s entirely possible that .gov users have no such filter. Plenty of government workers with .gov domains would be trying to send sensitive info to .mil users. Or government contractors, who would have a whole bunch of possible domains, would be trying to send to the .mil domain and failing.
It’s a pretty big, and stupid, breach, but I’m not sure how you get everyone who’s not part of your closed system to ensure they’re typing out .mil correctly.