As a result, thousands of Israelis received emails that appeared to be official notices about police investigations or tax debts. These emails included attachments that, when opened, installed malware giving hackers full remote control over the recipient’s computer. The messages were highly convincing, bypassed spam filters and landed directly in users’ inboxes.
“We were easily able to replicate the sending of fake emails that looked identical to official communications from Cellcom, Ashdod Port, the Netanya municipality, Isrotel hotel chain, Bank Hapoalim and more,” said Nati Tal, head of research at Guardio. “The emails passed all security checks and reached their targets. This opens the door to extremely sophisticated attacks that are very hard to detect.”
In addition to the exploited vulnerability, Guardio researchers identified two more severe flaws that had not yet been used but posed significant threats. The first would have allowed full impersonation of Cellcom business customers’ domains, bypassing standard email authentication protocols such as SPF and DMARC, which are designed to verify the sender’s identity.
The second flaw—described as the most dangerous—allowed attackers to send completely anonymous emails, without needing a username or password, on behalf of Cellcom clients or any other domain.
This could have enabled mass phishing attempts impersonating banks, government offices, insurance companies, or well-known brands to steal passwords, credit card details or gain control of smartphones, laptops, and enterprise systems. Guardio warned that a scenario in which a hacker impersonates a company CEO and sends fraudulent payment instructions to a CFO is entirely plausible under such conditions.
Guardio said it immediately contacted Cellcom, which it said responded “with full cooperation and at record speed” to fix the flaws. Cellcom engineers updated and hardened the NetVision email infrastructure and revised permissions for hundreds of thousands of users. The company noted it did so under technical constraints while maintaining uninterrupted service.
The case highlights once again the Achilles’ heel of major service providers: a single vulnerable provider can expose thousands of organizations and individuals to massive cyber threats. This is especially critical at a time when cyberspace has become an active front in geopolitical conflict. While this incident was contained quickly, future breaches may not be so easily resolved.
Email systems remain a significant security weak point due to outdated protocols. Both email and SMS are among the easiest channels to exploit for phishing and malware attacks.
The National Cyber Directorate did not respond by press time to questions regarding whether other Israeli telecom providers’ email services had been audited for similar vulnerabilities.
“All relevant teams acted quickly to contain the damage,” NetVision said in a statement. “We are reviewing the incident and continuing to improve our systems to prevent future occurrences.”
