Summary
- ITPro reports that Network Rail blocked 7,129,314 malicious emails between December 2025 and March 2026.
- The reported figures include phishing, malware-laden email, spam, and edge-blocked email.
- The figures do not indicate a successful compromise, but they show the volume of hostile activity facing UK rail infrastructure.
Network Rail blocked more than 7.1 million malicious emails between December 2025 and March 2026, according to freedom of information data reported by ITPro, showing the volume of hostile activity aimed at UK transport infrastructure.
The reported figures cover 7,129,314 blocked email attacks over four months. ITPro said the total included 331,352 phishing emails, 1,412 malware-laden emails, 2,066,392 spam emails, and 4,730,158 edge-blocked emails. The figures do not indicate that Network Rail was successfully compromised. They show the scale of hostile or unwanted traffic being filtered before it reaches users or systems.
Blocked-email numbers can be misleading when treated as evidence of an attack that almost succeeded. Here, the more useful reading is operational. A critical transport operator is exposed to persistent phishing, malware delivery, and opportunistic email abuse at a scale that demands disciplined controls, user reporting, logging, and response processes.
Network Rail is responsible for Britain’s railway infrastructure, including track, signalling, bridges, tunnels, level crossings, and major stations. Its digital systems support operational planning, engineering, maintenance, communications, corporate functions, and supplier coordination. Email compromise in such an environment may begin as a routine phishing attempt, but it can lead to credential theft, supplier fraud, lateral movement, and disruption if identity and access controls fail.
The wider UK rail context gives the figures additional weight. Transport has repeatedly appeared in cyber resilience discussions because disruption is visible, economically costly, and difficult to contain once passenger services, station operations, refunds, staff access, or supplier systems are affected. The 2024 cyberattack on Transport for London showed how an incident affecting identity, customer systems, and internal recovery processes can generate long-running operational and financial consequences even when core transport services continue.
Email remains attractive because it adapts to real business processes. Invoice approvals, engineering documents, supplier onboarding, human resources, rota changes, incident updates, and remote access prompts all create plausible pretexts for social engineering. Transport operators also work with large supplier ecosystems, distributed teams, contractors, and public-facing services, adding further opportunities for impersonation.
Email security controls therefore sit inside identity governance, supplier assurance, incident response, and business continuity. If a phishing message succeeds, the next stages depend on whether multi-factor authentication resists account takeover, whether privileged access is separated, whether unusual login activity is detected, whether supplier impersonation is caught, and whether recovery teams can revoke tokens and reset accounts at scale.
Aggregate email figures can also inform better risk management if they are analysed beyond headline volume. Organisations need to know which business processes are being targeted, which roles are most exposed, which suppliers are repeatedly impersonated, and whether training, controls, and detection are improving over time. Treating blocked email as background noise wastes intelligence that could identify weak points before a successful compromise.
The Network Rail figures do not show that rail infrastructure was close to compromise. They show that hostile traffic is constant and that defensive success is often uneventful by design. Resilience depends on filtering the obvious, detecting the subtle, and ensuring that one successful credential theft cannot become an infrastructure incident.





