Write Up:

Statewide, MoDOT maintains thousands of computer devices. Keeping those computers safe from outside threats is a 24-hour responsibility that requires the latest security measures.

For the third quarter of fiscal year 2026, MoDOT received a total of 30,536 emails containing malicious content (links and/or attachments) that were delivered to user inboxes. Of those 30,536 delivered emails, seven recipients clicked on the links or attachments. Among those seven clicks, three were blocked at the time of the click, while the remaining four were permitted.

This quarter saw the largest number of malicious emails delivered to user inboxes since this measure was first tracked. The previous high was 17,147 malicious emails delivered in the second quarter of FY 2026. Out of the 90 days in this quarter, there were only 11 days when MoDOT did not receive a malicious email directly to a user’s inbox. These emails came from 41 campaigns involving five threat actors.

MoDOT continues to emphasize cybersecurity and provide training for all department computer users. The cybersecurity oversight team works to identify areas of vulnerability and deploy solutions to address risk. In addition, MoDOT utilizes the Office of Administration’s network firewall services, as well as endpoint cybersecurity detection and remediation services, to provide increased cyber protection.

Purpose of the Measure:

This measure reports MoDOT's average click rate on malicious email links and attachments. Using this measure, MoDOT can compare performance to previous quarters and make adjustments in the security training program to reflect the observed trend.

Measurement and Data Collection:

The incident data for this measure is captured from MoDOT's e-mail security platform.
The target for this measure is zero clicks.