Region Värmland hacked for four months — how to protect your M365 environment

Region Värmland was hit by a phishing attack where threat actors gained access to employee Microsoft 365 email accounts. The breach lasted from October 2025 to February 2026 — four months undetected. CERT-SE reported the incident in their latest weekly newsletter.

Four months. That is enough time to read all internal communications, map supplier chains, prepare fraudulent invoices, and launch BEC attacks against the organization's contact network.

Why Every Swedish SMB Should Pay Attention

This is not an isolated incident. Throughout 2026, CERT-SE has warned about a significant increase in Business Email Compromise attacks targeting Swedish SMBs. The pattern is the same: compromised M365 accounts are used to send fraudulent invoices and change payment details.

Region Värmland is a large organization with resources. If they failed to detect the breach for four months — what does that look like at a company with 15 employees and no dedicated IT security?

Three Things You Can Do Today

1. Review MFA methods. If anyone in the organization still logs in with just SMS or TOTP — upgrade to FIDO2 keys or Passkeys. SMS verification cannot stop modern phishing kits that capture MFA codes in real time.

2. Enable sign-in logs in Entra ID. Set up alerts for logins from unexpected locations, new devices, and anonymous proxies. This could have caught the Region Värmland breach weeks earlier.

3. Configure Defender for Office 365. Enable anti-phishing policies, Safe Links, and Safe Attachments. Verify that impersonation protection is enabled for executives and finance staff.

How HaggeBurger Can Help

We offer an email security assessment (half day) where we review MFA configuration, Defender for Office 365 policies, and sign-in logs. We can also run a FIDO2 migration for customers who want to move away from SMS verification. Contact us.

---

Source: CERT-SE Veckobrev v.13