Skip to content

Increasing number of Microsoft 365 account breaches due to phishing

The Finnish National Cyber Security Centre (NCSC-FI) has raised the alarm over a sharp rise in breaches of Microsoft 365 accounts. So far this year alone, more than 330 incidents have been recorded, dozens of which occurred in recent months. In some cases, attackers even managed to compromise multiple accounts or entire departments within a single organisation.

The attack method is often the same: a phishing email disguised as a legitimate invoice or shared document. Victims are directed to a fake login page, after which criminals gain access to their account. They then abuse this access to spread further within the organisation or to external contacts. To remain undetected for longer periods, attackers frequently adjust account settings, for example by enabling automatic email forwarding.

Exploitation for invoice fraud

A common next step is invoice fraud, where attackers alter the bank account number on outgoing invoices. To customers, the invoice appears genuine, but the payment is redirected straight to the criminals. This not only results in financial losses but also causes serious damage to trust among clients and business partners.

Possible consequences

  • Financial losses due to missed payments

  • Unauthorised access to sensitive information and business data

  • Reputational damage with clients and partners

  • Disruption of daily operations

Recommended measures

To reduce the risk of such incidents, it is important to:

  • enable multi-factor authentication (MFA) by default,

  • regularly review account settings and email rules,

  • remain alert to unexpected changes in documents and invoices,

  • and raise staff awareness of phishing risks.

Just one click may be enough to cause severe damage.