February 4th, 2026
Active Phishing Campaign in Medicine Hat
... Just in time for Christmas.
Just before Christmas, multiple organizations across Medicine Hat were targeted by a coordinated phishing campaign designed to steal Microsoft 365 email credentials.
What the phishing email looks like:
Subject lines referencing Requests for Proposal (RFPs) or project opportunities: “REQUEST FOR PROPOSAL – [COMPANY NAME]”
Mentions of being “shortlisted” for a project
A link to view a PDF (often with a convincing filename)
A sense of urgency around submission deadlines
When a recipient clicked the link and entered their credentials, the attacker:
Gained access to the email account
Logged in successfully (appearing legitimate)
Re-sent the same phishing message from the compromised inbox, often changing the subject line to look authentic
This allowed the campaign to spread inside trusted business relationships, dramatically increasing credibility.
Why the Campaign Was So Successful
1. Timing and urgency
The pre-holiday period is busy, distracted, and deadline-driven — ideal conditions for attackers.
2. Business-relevant messaging
RFPs, invoices, and project opportunities feel normal in professional inboxes, lowering suspicion.
3. Trust in known senders
Emails sent from real compromised accounts bypass natural skepticism.
4. Clean, professional presentation
Modern phishing — often enhanced by AI tools — no longer looks obviously fake.
How the Attack Spread So Quickly
This campaign was effective because it combined technical compromise with social trust.
Unlike random spam, these emails:
- Came from real local businesses
- Appeared in existing email conversations
- Used relevant business language
- Avoided obvious spelling or formatting errors
Once a single account was compromised, the attacker could access contact lists, read conversation history, impersonate legitimate staff, and send highly believable follow-up messages. This turned a simple phishing email into a chain reaction across organizations.
Technology alone did not make this attack successful. Human behavior did.
Common patterns we observed:
Clicking links quickly to stay productive
Trusting familiar names or companies
Responding to urgency without verification
Assuming email equals authenticity
This isn’t carelessness, it’s normal workplace behavior being exploited. That’s why cybersecurity today isn’t just about firewalls… it’s about awareness, training, and verification habits.
What to do if someone already clicked the link?
Clicking the link itself may not automatically lead to compromise. The biggest risk is whether the user entered their credentials into the fraudulent login page. Either way, best practice is too:
Contact your IT provider right away
Reset the password and revoke active sessions
Check for suspicious email rules or forwarding
Enable or confirm multi-factor authentication (MFA)
Review recent sent emails for further spread
Fast response can mean the difference between a contained incident and a full breach.
Warning Signs to Watch For
Encourage your team to pause when they see requests for payment, invoices, or banking changes, messages creating pressure or urgency, links to external documents requiring login, look out for slightly altered domain names (example: partekk.ca vs. partek.ca), and unexpected RFPs or project invitations.
When in doubt: Stop. Verify. Then act.
How Businesses Can Reduce Risk Going Forward
This incident reinforces several key protections:
1. Security awareness training
Staff must know what modern phishing actually looks like.
2. Multi-factor authentication everywhere
MFA remains the single most effective control against credential theft.
3. Easy reporting of suspicious emails
One-click reporting dramatically reduces spread.
4. Rapid incident response
Minutes matter when accounts are compromised.
5. Ongoing monitoring
Threats evolve constantly — protection must too.
This phishing campaign wasn’t unique to Medicine Hat. But its local trust-based spread made it especially impactful.
The lesson is clear: Cybersecurity is no longer just a technology problem. It’s a human one.
With the rise of AI-generated messaging and increasingly sophisticated attacks, we must assume: You can’t always trust that an email is from who it claims to be.
Verification, awareness, and rapid response are now essential parts of doing business.
