Live Threats
[ENGINEERING]Ransomware via fake RFP emails targeting engineering & architecture firms — CAD files and project databases encrypted|
[REAL ESTATE]Wire fraud at all-time high — buyers losing entire down payments to fake closing instructions, $446M lost in Q1 2026|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[MANUFACTURING]Manufacturing is the #1 ransomware target — OT and ICS production systems now in scope, 67% increase in 2026|
[CPA]Post-tax-season phishing blitz targeting CPA firms — IRS impersonation and client financial data theft surging|
[LEGAL]Law firms targeted with data extortion — privileged client documents stolen and threatened with publication|
[SMB ALERT]FTC launches data security enforcement wave targeting businesses under 100 employees — 23 investigations opened in Q1|
[ENGINEERING]Ransomware via fake RFP emails targeting engineering & architecture firms — CAD files and project databases encrypted|
[REAL ESTATE]Wire fraud at all-time high — buyers losing entire down payments to fake closing instructions, $446M lost in Q1 2026|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[MANUFACTURING]Manufacturing is the #1 ransomware target — OT and ICS production systems now in scope, 67% increase in 2026|
[CPA]Post-tax-season phishing blitz targeting CPA firms — IRS impersonation and client financial data theft surging|
[LEGAL]Law firms targeted with data extortion — privileged client documents stolen and threatened with publication|
[SMB ALERT]FTC launches data security enforcement wave targeting businesses under 100 employees — 23 investigations opened in Q1|
View All
Engineering & Architecture Firms Targeted with Ransomware via Fake Project RFP Emails
Security News/Issue #20 — April 21 – 27, 2026
THREAT INTELHIGH

Engineering & Architecture Firms Targeted with Ransomware via Fake Project RFP Emails

Published April 24, 2026
Current as of April 24, 2026
5 min read
Source: FBI Cyber Division / ACEC Cybersecurity Alert
SHARE:
Affected Systems
AutoCAD and Revit project file repositoriesEngineering project management platforms (Procore, Deltek)Microsoft 365 email and SharePointNetwork-attached storage (NAS) containing project archivesBIM (Building Information Modeling) servers
Executive Summary

Threat actors are sending highly convincing phishing emails to engineering and architecture firms disguised as project Request for Proposal (RFP) documents. Opening the attached “RFP” deploys ransomware that encrypts CAD files, project databases, and client deliverables. Multiple Texas firms have been hit in April 2026.

How the Attack Works

Attackers are conducting reconnaissance on engineering and architecture firms using LinkedIn, company websites, and public project databases to identify firms that are actively bidding on projects. They then craft highly convincing phishing emails that appear to come from government agencies, general contractors, or real estate developers, inviting the firm to submit a proposal for a specific project. The email includes an attached PDF or Word document described as the RFP package. When opened, the document exploits a Microsoft Office or Adobe Reader vulnerability — or uses a malicious macro — to deploy ransomware. The ransomware specifically targets engineering file types including .dwg, .rvt, .ifc, .pdf, and project database files.

Why Engineering Firms Are High-Value Targets

Engineering and architecture firms are attractive ransomware targets for several reasons. First, project files are irreplaceable — years of CAD work, structural calculations, and client deliverables cannot be quickly recreated, creating enormous pressure to pay the ransom. Second, firms often have tight project deadlines where even a few days of downtime can trigger contract penalties. Third, engineering firms frequently hold sensitive client data including site plans, security system designs, and infrastructure details that have additional extortion value. Fourth, many engineering firms are small to mid-sized businesses without dedicated IT security staff, making them easier targets than large enterprises.

The RFP Phishing Lure in Detail

The sophistication of these attacks is notable. Attackers research the target firm’s recent projects and specializations, then craft RFPs that match the firm’s expertise. A structural engineering firm might receive an RFP for a bridge rehabilitation project from what appears to be TxDOT. A mechanical engineering firm might receive an HVAC design RFP from a known commercial developer. The email addresses are spoofed or use lookalike domains (txd0t.gov instead of txdot.gov). The RFP documents themselves are professionally formatted and contain realistic project details. This level of targeting means employees who would normally be skeptical of generic phishing emails may be fooled.

Protecting Your Engineering Firm

The most effective defense is a verification policy: any RFP or bid invitation received via email must be verified by calling the purported sender at a phone number obtained independently (not from the email) before any attachments are opened. This single control would prevent the majority of these attacks. Additionally, implement email security that sandboxes attachments before delivery, deploy endpoint detection and response (EDR) on all workstations, and ensure that project file repositories are backed up to immutable storage that cannot be encrypted by ransomware. Consider implementing a policy that all external email attachments are opened in a sandboxed virtual environment rather than directly on workstations.

What to Do If You Are Hit

If ransomware is detected on your network, immediately disconnect affected systems from the network — unplug network cables or disable Wi-Fi. Do not shut down systems, as this can destroy forensic evidence. Contact your IT provider or Segler.Net immediately at (210) 496-7313. Do not pay the ransom without consulting cybersecurity experts. Report the incident to the FBI’s IC3 at ic3.gov. If you have immutable backups, recovery without paying the ransom is typically possible. Segler.Net can assist with incident response, forensic investigation, and recovery planning.

Intel last verified: April 24, 2026 — Threat status, patch availability, and affected systems are current as of this date.
Key Takeaways & Action Items
  • Train all staff to verify RFP and bid invitation emails by calling the sender directly before opening attachments
  • Implement email sandboxing that detonates attachments in an isolated environment before delivery
  • Back up CAD files, project databases, and BIM models to immutable cloud storage daily
  • Restrict who can open email attachments from external senders — route unknown senders through IT review
  • Contact Segler.Net for an email security assessment tailored to engineering firm workflows
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #20: April 21 – 27, 2026
PREVIOUS ARTICLE
Real Estate Wire Fraud at All-Time High — Buyers Losing Entire Down Payments to Fake Wiring Instructions
Talk with Us