Region Varmland hacked for four months — how to protect your business

Name: Haggeburger
Address: SE
Price range: $$

March 26, 2026

A Swedish government region suffered a phishing attack that gave attackers access to email accounts for four months undetected. Here is how to avoid the same fate.

CERT-SE reported in its latest weekly briefing that Region Värmland was hit by a phishing attack. Attackers had access to multiple employee email accounts from October 2025 to February 2026. Four months without detection.

What happened

Threat actors gained access to employee email accounts at Region Värmland through phishing. The breach continued for at least four months before it was identified. Full details about the access method and exposed data have not been publicly disclosed, but the timeline speaks for itself.

Four months means the attackers could read internal communications, map the organization, and potentially use the accounts for further attacks against other organizations.

Why it matters

Region Värmland is a public sector organization with a dedicated IT department and resources that most SMBs can only dream of. If they failed to detect the breach for four months — what does that look like at a company with 15 employees and no dedicated security staff?

This is the reality of Business Email Compromise (BEC) in Sweden. The attacks are silent, they do not show up in standard logs unless you actively look, and they can persist for a long time.

What you should do

Review sign-in logs in Entra ID — look for logins from unusual locations or devices. It takes 30 minutes with the right tools.
Ensure MFA is enabled for all users, not just admins. Preferably phishing-resistant MFA like FIDO2 keys or Passkeys.
Enable alerts in Defender for Office 365 for suspicious email activity. Default settings are not enough — you need configured alerts.
Run a phishing simulation with your employees. It does not need to be complicated. One simulated attack per quarter makes a significant difference.

How HaggeBurger can help

We offer an email security review (half day) covering MFA configuration, Conditional Access policies, and Defender for Office 365 settings. We also provide awareness training with phishing simulations tailored for Swedish SMBs.

Want us to check your environment? Get in touch.