Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 37/2025

Alert: Microsoft 365 accounts compromised – beware of phishing

In 2025, the NCSC-FI received a total of 330 reports related to Microsoft 365 account compromises or attempted intrusions. In August alone, 70 such cases were reported. The number of incidents has increased significantly following the end of the summer holiday season. Numerous organisations have been exposed to breaches and subsequent phishing emails, and several account compromises may occur within the same organisation. On 9 September 2025, the NCSC-FI issued a yellow alert regarding M365 account breaches. The alert targets companies and other organisations, as well as their employees who use M365 products.

Criminals use stolen credentials to access M365 services, and compromised accounts are then exploited to send new phishing messages and to commit invoice fraud. Account breaches enable unauthorised access to emails and documents, exposing confidential data to misuse. At worst, such breaches can lead to business disruptions, reputational damage, and serve as a gateway to broader attacks.

Fraudulent messages are often disguised as contracts or invoices requiring action from the recipient. A typical message may contain a link to a file that prompts the user to log in with their M365 credentials to view the content. These phishing messages may even originate from legitimate file sharing platforms, such as SharePoint or OneDrive. However, the shared file in the service redirects the victim to a phishing site controlled by criminals. The seemingly authentic appearance of the messages makes them particularly difficult to detect.

Critical code – Software security at the core of security of supply

On 9 September 2025, the NCSC-FI organised a webinar on secure software development in cooperation with the Finnish National Emergency Supply Agency (NESA). The webinar was especially aimed at university-level ICT students and teachers. The audience of more than 600 registered participants also included company representatives and other interested parties.

The main goal of the webinar was to raise awareness of the importance of software security and to highlight the skills needed to ensure it. High-quality and secure software is essential for the uninterrupted functioning of society.

Ensuring software security requires not only skilled developers but also the integration of security into software projects and procurement processes. Educational institutions play a key role in raising awareness and building expertise. The event presented training opportunities in software security for both basic and adult education.

The webinar also provided practical tips for developers on how to ensure security in software development. Today’s development environments are attractive targets for attackers, making their protection a key part of supply chain security. While artificial intelligence can accelerate software development, the quality and security of AI-generated code must also be verified.

The webinar’s comment section was lively, and participants submitted a wide range of questions. The software security development project led by the NCSC-FI and NESA will continue – with more webinars planned, for example.

Watch the webinar recording here (External link)

August Cyber Weather report published

The end of the summer and holiday season was once again reflected in a clear increase in the number of reports received by the NCSC-FI.

In August, there was a significant surge in reports of Microsoft 365 account compromises—tripling compared to July. The growth in report volume was exceptionally sharp compared to previous years.

Phishing activity has also remained high following the end of the summer holiday period. As we enter the autumn season, organisations are advised to remind their staff about how to protect themselves against various cyber threats and to review key information security practices.

Malware review: Hummer

Hummer is a rootkit, which makes it extremely difficult to remove from an infected device. Having infiltrated a device, Hummer gains administrator privileges, shows the user ads and downloads applications that may be malicious or drain the device's battery quickly. Hummer also collects personal data and especially banking user ID and password pairs.

This malware is designed for the Android operating system, which means that iPhone users, for instance, do not need to be concerned about Hummer. Even though Hummer has not been found in Apple’s iOS operating system, the instructions below can also help iPhone users protect themselves against other types of malware.

Hummer attempts to gain administrator rights. With these elevated rights, the malware displays pop-up advertisements and installs unwanted applications in the background, such as games, adult content apps and other malicious software. If the user removes the applications that have been installed, the Hummer trojan simply reinstalls them again and again.

According to the latest information, the Hummer family includes more than 18 different root methods—that is, techniques for gaining root-level or administrator-level access privileges. Information security researchers have estimated that Hummer may be one of the most widespread trojans, and at its worst, it may have affected millions of phones.

How to protect against malware:

•  Never download apps from outside the official app store.
• Do not click on links in text messages without careful consideration.
• Use antivirus software on your phone as well.
• Pay attention to your phone’s behaviour, such as unusual slowness or strange activity.
• Know which apps you have installed. Ask yourself which apps you actually need and recognise. Do you notice anything suspicious in the app list—an app you did not install yourself?
• Protect your passwords. Do not store them in written form on your phone—for example, in notes or as contact details.
• Never share usernames or passwords via messages or over the phone. 
• Always install the latest updates as soon as they become available.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.