1. The Tax Service: Zero Protection
Confirmed -- DNS Query
Armenia's State Revenue Committee -- taxservice.am -- the agency responsible for collecting all taxes in the country, has no DMARC record whatsoever.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the standard that prevents attackers from sending emails that appear to come from your domain. Without it, anyone on the internet can send an email that says it is from @taxservice.am -- and most email systems will accept it without question.
With zero DMARC on taxservice.am, an attacker can send an email to any Armenian citizen or business saying: "You owe 500,000 AMD in unpaid taxes. Pay immediately to avoid penalties." The email would show from: notifications@taxservice.am and there would be no technical mechanism to detect it as fake.
This is not a theoretical risk. Tax authority impersonation is one of the most common and profitable phishing attacks worldwide. Armenia's Tax Service has simply left the front door open.
The implications extend beyond phishing. During tax season, spoofed emails could direct businesses to fake payment portals. During audits, forged "official" correspondence could manipulate taxpayers. During elections, fake tax communications could be used to harass or intimidate political donors.
2. The President: 80% Spoofing Window
Confirmed -- DNS Query
The Office of the President of Armenia -- president.am -- technically has a DMARC record. But it is configured with pct=20, meaning only 20% of incoming emails are actually checked against the policy.
The pct parameter is designed for gradual rollout -- organizations set it to 20% temporarily while testing, then raise it to 100%. But president.am appears to have stopped at 20% and never completed the rollout. The result: 4 out of every 5 spoofed emails claiming to come from the Armenian President's office will bypass DMARC entirely.
3. Military Email: 7 Years Unpatched, 3 Known RCEs
Critical -- Known Exploits
Armenia's Ministry of Defense email system -- mail.mil.am -- runs Zimbra Collaboration Suite with build identifier v=190819071639. That build date: August 19, 2019.
The military email server has not been updated in nearly 7 years.
CVE-2022-27925 -- Remote Code Execution (RCE). Allows an attacker to execute arbitrary code on the server through directory traversal in the mboximport functionality. CVSS: 7.2.
CVE-2022-37042 -- Authentication Bypass. Can be chained with CVE-2022-27925 to achieve unauthenticated RCE. This combination was actively exploited in the wild against government targets globally. CVSS: 9.8.
CVE-2023-37580 -- Cross-Site Scripting (XSS). Reflected XSS in Zimbra Classic Web Client that was exploited in targeted attacks against government organizations. Google TAG documented its active exploitation.
The server is hosted externally at IP 5.63.161.236 -- not on government infrastructure. Armenia's military email runs on a 7-year-old platform with at least three known critical vulnerabilities, including one that allows complete remote takeover of the server, hosted on infrastructure the Ministry does not directly control.
CVE-2022-37042 combined with CVE-2022-27925 gives an attacker unauthenticated remote code execution on the military email server. This means: reading all military emails, sending emails as any military address, pivoting to other connected systems, and establishing persistent access. These vulnerabilities have been publicly known since 2022. They have been actively exploited against government targets worldwide. Armenia's Ministry of Defense has done nothing for 4 years.
4. Central Bank FIU: Employee Names Leaked
Documented -- Wayback Machine
The Central Bank of Armenia's mail.cba.am ran Lotus Notes/Domino -- a legacy email system that IBM stopped developing years ago. The Wayback Machine cached directory paths that reveal real employee names at the Financial Intelligence Unit (FIU):
/mail/silanyan_fiu.nsf-- reveals an employee surname "Silanyan" working at the FIU/mail/susmelikyan.nsf-- reveals an employee surname "Melikyan" (or "Susmelikyan")
The FIU is Armenia's anti-money-laundering unit -- the agency that investigates financial crimes, terrorist financing, and sanctions evasion. Exposing the names of its employees on the public internet creates targeted attack vectors. Anyone investigating illegal financial flows now knows exactly which analysts to target with phishing, social engineering, or worse.
Financial Intelligence Unit employees handle classified information about ongoing money-laundering investigations. Their identities should be protected. Having their names indexed by the Wayback Machine via exposed Lotus Notes databases means: spear-phishing targeting specific FIU analysts by name, social engineering using knowledge of their role, physical surveillance or intimidation of people investigating financial crimes, and foreign intelligence services mapping Armenia's anti-money-laundering personnel.
5. Central Bank Jira: Hosted in France, Anonymous Access
Confirmed -- Wayback Cache
The Central Bank's Jira project management system -- jira.cba.am -- was found at IP 5.39.205.116, an OVH server located in France. It runs Jira version 9.4.9, build 940009, with a creation date of September 2023.
The cached metadata reveals a particularly dangerous flag:
com.atlassian.jira.leaked.all.anonymous.access: true
This flag indicates that anonymous users -- anyone on the internet without credentials -- could browse the Central Bank's project management system. Additionally, an internal IP address was leaked through the response headers: 192.168.93.214, originating from a Citrix NetScaler gateway.
This finding has been covered in detail in OWL's separate investigation: Armenia's Central Bank Exposed: Internal Network, Project Tracker, and Anonymous Access.
6. Email Security Scorecard
OWL queried the DMARC, SPF, and DKIM records for Armenia's most critical government domains. The results paint a clear picture of institutional failure:
| Domain | DMARC | Policy | Notes | Grade |
|---|---|---|---|---|
| cba.am | Yes | reject, pct=100 | Full enforcement, best in government | A- |
| mfa.am | Yes | reject | sp=none for subdomains -- gap for spoofing sub.mfa.am | B |
| gov.am | Yes | quarantine | Not rejecting -- spoofed mail lands in spam, not blocked | B- |
| president.am | Yes | reject, pct=20 | 80% of spoofed emails bypass checks entirely | C |
| taxservice.am | NONE | -- | Zero authentication -- full spoofing possible | F |
| court.am | Broken SPF | -- | SPF misconfigured, no DMARC, hosted on private ISP (Ucom) | F |
Only one Armenian government domain -- the Central Bank -- has proper email authentication. The country's tax authority and courts have none. The President's office has a token deployment that covers only 20% of traffic. Foreign Affairs leaves subdomains unprotected.
What the grades mean
- A-: DMARC at reject with full enforcement. Spoofed emails are blocked.
- B/B-: DMARC exists but with gaps (subdomain policy, quarantine instead of reject).
- C: DMARC exists on paper but enforcement is so low it provides minimal protection.
- F: No functional email authentication. Anyone can impersonate the domain.
7. Infrastructure Mapping
Pattern Analysis
OWL's passive reconnaissance identified the following network ranges hosting Armenian government infrastructure:
| Network Range | Usage | Notes |
|---|---|---|
91.221.228-229.x |
Core gov.am infrastructure | Primary government network block |
212.73.73-76.x |
Secondary government services | Various state agencies |
83.139.22.x |
NSS + MFA | National Security Service and Foreign Ministry |
5.63.161.236 |
Military email (mail.mil.am) | External hosting -- not government-controlled |
5.39.205.116 |
Central Bank Jira | OVH France -- not government-controlled |
Critical hosting observations
- Military email hosted externally at 5.63.161.236 -- Armenia's Ministry of Defense trusts its email to infrastructure it does not directly control
- Central Bank Jira in France at OVH -- the CBA's internal project management tool sits on a French hosting provider
- Court system on private ISP -- court.am is hosted on Ucom, a private Armenian ISP, rather than government infrastructure
- police.am wildcard Flash crossdomain.xml -- the Police website had a wildcard crossdomain.xml policy, allowing any Flash application from any domain to make cross-origin requests
- sns.am on legacy CMS -- the National Security Service website runs on Joomla/Mambo, a CMS platform with a long history of critical vulnerabilities
The pattern is clear: Armenian government agencies deploy critical infrastructure wherever is most convenient, with no centralized security standards, no patch management, and no monitoring.
8. The Bigger Picture: Armenia's Cyber Catastrophe
These email and infrastructure failures do not exist in isolation. OWL has previously documented the complete scope of Armenia's cyber catastrophe: 351+ compromised accounts across all state institutions, 100% weak passwords at the NSS and Parliament, Russian state actors targeting elections, Predator spyware on parliamentary systems, and 8 million government records for sale for $2,500.
Consider what an attacker has to work with: 351+ stolen credentials from malware infections. A military email server with known unauthenticated RCE. A tax service that can be impersonated with zero effort. A president's office where 80% of spoofed emails pass. FIU analyst names for targeted spear-phishing. A Central Bank Jira with anonymous access and a leaked internal IP.
These are not separate problems. They are layers of the same systemic failure. An attacker does not need to choose one vector -- they can chain them. Send a spoofed @taxservice.am email containing a link. The link exploits the unpatched Zimbra on mil.am. The compromised military email is then used to send legitimate-looking communications to CBA employees whose names were found via cached Lotus Notes paths.
With Armenia's parliamentary elections on June 7, 2026, the stakes are higher than ever. These email security failures make it trivial to forge "official" government communications, manufacture fake tax threats against political donors, impersonate military or security officials, and conduct disinformation campaigns using legitimate-appearing government email addresses.
9. How to Verify
Every finding in this investigation can be independently verified using public tools. No hacking required. No special access needed.
Tax Service DMARC (missing):
dig TXT _dmarc.taxservice.am -- returns nothing. No DMARC record exists.
President DMARC (pct=20):
dig TXT _dmarc.president.am -- shows v=DMARC1; p=reject; pct=20
Military Zimbra version:
Check web.archive.org for cached pages of mail.mil.am -- the Zimbra login page contains v=190819071639 in its source.
CBA FIU employee names:
Check web.archive.org for cached paths of mail.cba.am -- Lotus Notes .nsf database paths contain employee names.
CBA Jira anonymous access:
Check web.archive.org for cached pages of jira.cba.am -- the page metadata contains the anonymous access flag.
Court.am hosting:
dig A court.am -- resolves to Ucom IP ranges, not government infrastructure.
Methodology Note
OWL conducts only passive OSINT research. We do not perform active scanning, penetration testing, or unauthorized access. All data in this article comes from: public DNS queries, cached pages on the Wayback Machine, certificate transparency logs (crt.sh), and published CVE databases. We did not access any Armenian government systems.
Recommendations
For the Government of Armenia:
- taxservice.am: Deploy DMARC immediately with
p=reject; pct=100. This is the single most impactful fix -- it costs nothing and prevents spoofing of tax authority emails. - president.am: Raise pct to 100. The current pct=20 leaves an 80% window for spoofing. Complete the rollout.
- mail.mil.am: Patch Zimbra or migrate immediately. Running a 7-year-old email server with known unauthenticated RCE on military infrastructure is not negligence -- it is a national security emergency.
- court.am: Fix SPF and deploy DMARC. Move hosting to government-controlled infrastructure.
- CBA: Remove exposed Lotus Notes paths from any cached or accessible servers. Audit all cba.am subdomains for exposed services.
- Centralize government email security. Establish mandatory DMARC at
p=reject; pct=100for all .am government domains. Create a centralized patch management policy with maximum 30-day patching windows for critical CVEs. - Stop hosting critical infrastructure on foreign servers. Military email and Central Bank tools should not be on external hosting providers outside Armenia.
Timeline
| Date | Event |
|---|---|
| August 2019 | Last update to mail.mil.am Zimbra (build v=190819071639) |
| September 2023 | CBA Jira instance created at jira.cba.am on OVH France |
| 2022-2023 | Three critical Zimbra CVEs published -- mil.am remains unpatched |
| Various | Wayback Machine caches mail.cba.am Lotus Notes paths with FIU employee names |
| April 11, 2026 | OWL publishes this investigation |