At the Aspen Security Forum on Thursday, Microsoft executive Tom Burt said that phishing attacks—reminiscent of those carried out in 2016 against Hillary Clinton’s campaign—have targeted three midterm campaigns this year. Burt stopped short of attributing those efforts to Russia, but the disclosure is the first concrete evidence this year that candidates are being actively targeted online. They seem unlikely to be the last.

“The 2018 midterms remain a potential target for Russian actors,” said Matt Masterson, a senior cybersecurity adviser to DHS, at a Senate hearing last week. “The risks to elections are real.”

Meanwhile, a trend of destabilizing denial-of-service attacks against election-related systems has also emerged, including one that caused a results-reporting website to crash during a municipal primary in Knox County, Tennessee, in May, along with two reported DDoS assaults on unnamed Democratic campaigns. DDoS attacks have become common enough that both Alphabet’s Project Shield and Cloudflare’s Athenian Project have been offering free DDoS protection to election-related groups, like political campaigns, state and local governments, and boards of elections.