A sophisticated phishing campaign is targeting mayors, municipal leaders, and cybersecurity officers across Poland in what authorities are describing as a highly coordinated attempt to compromise local government networks. The warning, issued by CERT Polska, comes after multiple reports of officials receiving fraudulent emails that appear to come directly from the Ministry of Digital Affairs.
The emails use authentic-looking visuals, including the official ministry logo and a photo of Deputy Minister Paweł Olszewski, to create the illusion of legitimacy. The messages are written in formal administrative language and encourage recipients to act quickly, increasing the likelihood that officials will comply without verifying the source. The campaign has drawn attention not only for its precision but also for its deliberate targeting of public servants who hold cybersecurity or administrative responsibilities within local offices.
According to CERT Polska, the attackers are using social engineering methods to convince recipients to open a file attached to the email. The file is presented as a routine government document related to a new verification process or a security update for public employees. The message instructs the recipient to review and confirm “employee personal data” or to verify information about local staff members as part of a supposed compliance initiative.
When the victim opens the file and follows the embedded instructions, the attachment either connects to a malicious website or downloads malware onto the system. Once the malware is installed, it can begin collecting sensitive data, intercepting communications, and providing remote access to the attacker. This kind of infection is particularly dangerous in municipal environments where internal systems often link to broader networks that manage records, permits, or public infrastructure.
Poland’s national cybersecurity authorities have stressed that this campaign is still active and evolving. Because the attackers appear to be refining their messages and updating attachments, municipal offices are being urged to implement immediate defensive measures. These include tightening email filtering rules, blocking attachments from unknown senders, and creating internal verification steps for any communication that claims to come from a national ministry.
CERT Polska’s investigation suggests that the campaign has been ongoing for several weeks and that it may be part of a larger effort to infiltrate government systems at multiple levels. By focusing on mayors and other officials, the attackers appear to be seeking administrative access or credentials that could allow them to move laterally within networks. In a worst-case scenario, such access could be used to disrupt services, steal sensitive data, or plant ransomware across multiple offices.
The decision to impersonate the Ministry of Digital Affairs shows a clear understanding of how Polish administrative structures operate. Emails referencing a government ministry carry inherent authority, particularly when directed at local officials who regularly correspond with national institutions. This makes the tactic highly effective in lowering recipients’ guard and bypassing common security checks.
CERT Polska has urged all local offices to verify the authenticity of emails before acting on them. The agency also recommends that government employees receive updated training on identifying phishing attempts. Many of the fraudulent messages share common traits, such as minor grammatical errors, mismatched domain addresses, or unusual file types attached to what should be simple government notices.
While no confirmed breaches have yet been disclosed, cybersecurity experts warn that even a small number of successful infections could have serious consequences. Local government networks often store sensitive citizen data, including tax records, contact details, and identification information. They also play a role in essential services such as water, waste management, and emergency response coordination. A compromised administrator account could provide attackers with a gateway into these critical systems.
The Polish government has not commented publicly on the origin of the campaign, and no specific threat actor has been identified. However, analysts note that phishing operations of this kind often serve as precursors to larger cyberattacks. In previous cases, attackers have used similar strategies to plant remote access tools that enable deeper infiltration over time.
As the campaign continues, CERT Polska and other national agencies are working with local authorities to distribute warnings and share threat intelligence. Municipal offices are being asked to report all suspicious emails, even if no attachment was opened. Centralising this data will help identify patterns and potential connections between the attacks.
For public officials, the incident is a reminder that cybersecurity threats increasingly target individuals rather than systems. Sophisticated phishing relies less on technical exploits and more on psychological manipulation, using urgency and authority to push victims into taking action. By masquerading as legitimate communication from a trusted government source, attackers can bypass many technical safeguards that would normally prevent access.
The incident also highlights the growing challenge of defending smaller government entities that may lack dedicated cybersecurity resources. While national ministries often maintain advanced security operations, many municipal offices operate with limited technical staff and outdated systems. This creates vulnerabilities that threat actors can exploit to reach larger networks or gather intelligence about government processes.
Polish cybersecurity experts emphasise that even simple countermeasures can significantly reduce risk. These include verifying sender addresses, avoiding the opening of unverified attachments, using multi-factor authentication for administrative accounts, and maintaining up-to-date antivirus tools. Municipal offices are also encouraged to simulate phishing exercises to help employees recognise and report suspicious communications before damage occurs.
The phishing campaign against Polish municipal leaders shows how cybercriminals continue to evolve their tactics to exploit trust and routine communication. While the investigation is ongoing, the warning from CERT Polska underlines the importance of vigilance at every level of government. Whether or not the campaign achieves its intended goals, it serves as a reminder that even well-designed systems depend on human awareness to remain secure.