Microsoft 365 accounts compromised – beware of phishing

The NCSC-FI has received 330 reports in 2025 concerning cases related to M365 account breaches or phishing. This is the same phenomenon about which we also issued a warning in autumn 2023 (External link). Through these data breaches, attackers have gained access to accounts and the emails connected to them. By exploiting these emails, the attackers are able, for example, to carry out invoicing fraud. The NCSC-FI is not aware of any cases where the access rights of a compromised account have been expanded or where attackers have been able to strengthen their foothold within the victim organisation’s environment by using a compromised account. However, account breaches do allow unauthorised access to emails and documents, which exposes confidential information to misuse. At worst, such breaches can lead to business disruptions, reputational damage, and serve as a gateway to broader attacks. Based on the reports received, the NCSC-FI checks malicious websites and, in its role as an authority, provides service providers worldwide with information on harmful sites that should be removed from the internet.

Progression of an M365 account breach

• The attacker obtains the user’s username and password through a phishing message or site. The user, i.e. the victim, enters their details into the phishing page. If multi-factor authentication is not in use, the account is immediately accessible to the attacker.
• The criminal logs into the M365 environment using the compromised credentials. They examine emails, contacts and files to gain an understanding of the user’s or organisation’s operations.
• The attacker sends phishing emails from the compromised accounts to the accounts’ contacts, thereby attempting to compromise additional accounts.
• In many cases, the attacker has exploited the victim’s SharePoint or OneNote service to share files that ultimately direct recipients to phishing sites.
• The attacker may change the settings of the email account. For example, criminals may create email rules (such as forwarding messages) or install malicious applications in order to maintain access in the future. The goal is to remain undetected for as long as possible. The attacker may reuse legitimate emails previously sent by the victim, adding a link to a phishing site.

Detection

• At present, many of the fraudulent messages are disguised to appear as contracts or invoices requiring action from the recipient. Concretely, the message may, for example, contain a link to a file named invoice.pdf, for which login credentials are requested to open. In reality, this is a fraudulent link, and any credentials entered are redirected via a phishing site to the criminal.
• Fraudulent messages may also be genuine file-sharing notifications sent through services such as SharePoint, but the shared file redirects the victim to a phishing site controlled by the attackers. This makes recognising phishing messages particularly difficult.
• Criminals also exploit adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication, which has become more common in phishing attempts targeting Microsoft 365 accounts.  More information on bypassing MFA using AitM is available here. (External link)
• In some cases, when a recipient has replied in Finnish to a phishing email, the attacker has responded in Finnish and urged the recipient to open the link contained in the phishing message.
• There have also been cases where an attacker has attempted to add a rule to the mailbox to prevent the victim from seeing reply messages sent to the phishing email. The responses are redirected into a folder controlled by the attacker, who then engages in dialogue with the recipients, attempting to convince them and prompt them to act as desired.
• If there is any doubt about the authenticity of a message, the matter should be verified via another communication channel. For example, the authenticity of an email can be checked by calling the sender. 

Points to note

• Changing the password alone is not sufficient if the attacker has stolen a so-called session cookie.
• Multi-factor authentication (MFA) by itself does not fully prevent criminal activity. 
• Geographic restrictions on logins (geoblocking) are not always enough, as attack traffic can also be routed through Finland.

Companies and other organisations, as well as their employees and users who use Microsoft 365 products.

• If you doubt the authenticity of a message you have received, do not reply to it. Verify the matter by other means, for example by calling or using an instant messaging tool.
• If you suspect that an email account has been compromised, check the forwarding rules both from the administrator and user view.
• Train and inform staff regularly about the risks related to phishing and account breaches.
• Also ensure that the attacker has not added their own multi-factor authentication (MFA) device to the account. 
• Temporarily revoke all of the user’s access rights to terminate open sessions. Guidance (External link)
• Implementing Conditional Access can be an effective way to improve protection.

 Microsoft provides good instructions on how to block applications (External link)

The figure below illustrates the cases related to M365 account breaches reported to the NCSC-FI in 2025. M365 account breaches occur in every sector. In addition to other sectors, the figure highlights three sectors that have been more frequently targeted.