Finland’s National Cyber Security Centre reported that February saw a continued surge in fraud and social engineering, including bank- and authority-impersonation scam calls, robocalls, high-quality phishing, and investment/crypto scams. The agency also noted that Microsoft 365 (M365) account compromises increased further, warning that stolen user accounts can enable follow-on abuse such as invoice fraud, CEO fraud (BEC), and large-scale secondary phishing sent from trusted, compromised mailboxes; it also cited multiple critical vulnerabilities in widely used software/services during the month, though impacts in Finland were described as limited.
Separately, Finland’s Security and Intelligence Service (SUPO) assessed that Russia and China continue extensive cyber-espionage and influence operations targeting Finland’s technology sector, research institutions, and government, describing cyber-espionage as the country’s most significant digital threat with no expectation of abatement. SUPO said foreign intelligence activity combines cyber intrusions with traditional espionage and political influence to collect sensitive information and shape decision-making, and pointed to prior high-profile incidents (e.g., the Vastaamo psychotherapy data breach and related extortion cases) as illustrative of the broader risk environment.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
16 events from the most recent confirmed update back to the earliest known activity.
Finland's Security and Intelligence Service and Traficom's National Cyber Security Centre announced a joint operation that disrupted Russian cyber espionage activity. The authorities warned that Russia exploits poorly secured home routers and other network devices as part of its espionage operations.
The Finnish National Cyber Security Centre's February cyber weather report said scams impersonating banks and authorities continued to increase, alongside further growth in Microsoft 365 account takeovers. It also noted multiple critical vulnerabilities in widely used software and services, though impacts in Finland remained limited.
Finland's Security and Intelligence Service released a national security assessment stating that Russia and China continue extensive cyber espionage and influence operations against Finland's government, research institutions, and technology sector. SUPO said cyber espionage remains Finland's most significant digital threat and is expected to persist long term.
Finnish authorities formally attributed the earlier intrusion into parliament IT systems to China-linked APT31, marking a key attribution development in the case.
On 2026-03-02, Finland's National Cyber Security Centre warned of a recent increase in fraudulent phone calls made in the names of banks. The callers claimed suspicious transfers or account anomalies to trick victims into revealing online banking credentials and confirmation codes, and Traficom advised people to hang up, contact their bank via official channels, and report incidents to police if data had been disclosed.
On 2025-11-27, Finland's National Cyber Security Centre said reported Microsoft 365 account compromise cases had declined and stabilized to roughly pre-warning levels, with monthly counts falling to about 70 in November after peaking at 125 in October. Based on the trend, Traficom removed its earlier warning while stressing that phishing and account takeover threats remain ongoing.
On 2025-09-09, Finland's National Cyber Security Centre said it had received 330 notifications in 2025 related to Microsoft 365 account compromises or phishing, describing the activity as a continuation of the campaign it had warned about in autumn 2023. The advisory said attackers were using phishing, including AiTM techniques, and abusing SharePoint or OneNote links, mailbox rules, and stolen session cookies to access email and files and enable follow-on fraud.
On 2025-02-26, Finland's National Cyber Security Centre said it had received several recent reports of fraudulent phone calls in which callers posed as representatives of the Cyber Security Centre. The notice warned that scammers were conducting phone fraud in the agency's name.
In its February 2024 cyber weather report, published on 2024-03-14, Traficom said Finland's threat environment remained notably active, with Microsoft 365 account compromises continuing through February. The agency also reported that a large number of Finnish organizations were targeted by denial-of-service attacks at the beginning of the month, alongside sustained hacktivist DDoS activity.
On 2023-10-20, Traficom published a serious warning about a wave of Microsoft 365 account breaches driven by phishing emails themed as secure mail messages. The autumn campaign sent thousands of phishing emails and led to hundreds of compromised accounts, with some attacks using adversary-in-the-middle techniques to bypass multi-factor authentication.
On 2023-04-28, Finland's National Cyber Security Centre warned that multiple Finnish organizations had again suffered Microsoft 365 account compromises through phishing emails disguised as secure mail notifications. The agency said municipalities and public administration were prominent among reported cases, and that compromised accounts were being used to send more phishing emails and attempt invoice fraud.
On 2023-04-21, Traficom's National Cyber Security Centre said Finland's cyber threat level had remained elevated and that reports of incidents were rising year by year. The agency said recent months had brought more targeted attacks against government administration and critical supply-security organizations, alongside more targeted ransomware activity and increased hacktivism.
On 2023-03-01, Finland's National Cyber Security Centre warned that aggressive phishing campaigns had led to breaches of many organizations' Microsoft 365 email accounts. The advisory said attackers used fake login pages to steal credentials, noted that MFA would have prevented many reported takeovers, and warned that compromised accounts were being abused for further phishing, invoice fraud, data theft, and possible ransomware follow-on activity.
Finland's accession to NATO increased the country's intelligence significance, contributing to heightened interest from foreign intelligence services according to SUPO's later assessment.
Finland's parliament experienced an intrusion into its IT systems. The incident was later cited by SUPO as a significant example of foreign cyber espionage targeting Finnish institutions.
A major breach hit Finnish psychotherapy provider Vastaamo, exposing sensitive patient data and becoming one of the notable cyber incidents later cited by Finnish authorities in national security assessments.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
20 references tracked. Mallory keeps watching after this page renders.
kyberturvallisuuskeskus.fi
Open sourcekyberturvallisuuskeskus.fi
Open sourcetherecord.media
Open sourcekyberturvallisuuskeskus.fi
Open sourcekyberturvallisuuskeskus.fi
Open sourcekyberturvallisuuskeskus.fi
Open sourcekyberturvallisuuskeskus.fi
Open sourcekyberturvallisuuskeskus.fi
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.