Front Page: NCSC-FI
Front Page: NCSC-FI

Office 365 email phishing and data breaches very common – detect, protect, inform!


In the spring of 2018, emails for employees and directors of several Finnish companies have been stolen and their credentials have been used in several cases of fraud and attempts of fraud. On the basis of notifications to the NCSC-FI, they have caused substantial losses and expenses to many Finnish companies. The NCSC-FI recommends that company directors allocate sufficient resources for the technical prevention and detection of frauds and data breaches and for the information to the employees about the threats.

Targeted criminal activity

In many cases, phishing and data breaches have been targeted at the members of the companies’ executive boards. The NCSC-FI believes that organised criminal groups, looking for easy money, are behind the incidents. Industrial espionage is, however, not excluded.

A common feature in these cases is that the criminals have been phishing for the employees with Office 365 email credentials by email and scam websites, and used the credentials for logging into the email systems of companies using Office 365 email. After a successful login, the attackers have changed the email settings for people in decision-making position or people dealing with money transfers or invoices so that the company’s email system automatically sends a copy of all these people’s messages to the attackers. The attackers have also used the hacked credentials for sending new targeted phishing and scam emails.

Phishing of employees’ and directors’ email credentials via scam messages and websites using Office 365 as a theme is now very common. Very few companies are required to inform the NCSC-FI about information security incidents they have fallen victim to, and the NCSC-FI believes that the voluntarily sent reports are only the tip of the iceberg of this phenomenon. This is why the NCSC-FI published this red alert.


Target group of the alert

Directors, employees and administrators of ICT systems in organisations.

Possible solutions and restrictive measures

The NCSC-FI advises all companies using Office 365 products to check whether their email system has unauthorised forwarding settings, and logins from unusual places or at unusual times. The NCSC-FI also advises all companies using Office 365 products to consider putting restrictions to forwarding rules and to adopt two-factor authentication. Further technical guidelines can be found in the Information Security Now! article, see the link at the end of this warning.

The NCSC-FI advises all Finnish organisations to inform their personnel of user name and password phishing, and the importance of being cautious when dealing with email. Further recommendations for information can be found in the Information Security Now! article, see the link at the end of this warning.

If you suspect a data breach, a fraud or some other offence, report it to the local police. The link to the online reporting can be found at the end of this warning.

We recommend that information security incidents are also reported to the NCSC-FI (External link). Those who inform are provided with free-of-charge advice on how to get the situation under control and to improve their information security. The NCSC-FI handles all notifications confidentially. The notifications are used to build nationwide situational awareness of cyber security and to coordinate the work between the authorities and the information security organisations to defend against threats.

More Information

Cooperation for better information security

The NCSC-FI wishes to thank all companies who have submitted a notification of information security breach. With these notifications the NCSC-FI can build nationwide situational awareness of cyber security and inform about the situation to improve security.

Cooperation with Microsoft has been very important to the NCSC-FI in terms of making guidelines for detecting and defending against threats.

Update history

11.06.2018 time 11:46 Julkaistu 11.06.2018 time 15:00 English translation. 08.08.2018 time 16:12 Warning level updated from red to yellow. 20.09.2018 time 16:38 Warning level rised from yellow (serious) back to red (critical). 26.10.2018 time 14:31 Warning level updated from red to yellow.

Alert was discontinued on 16 Sep 2019.