ctipilot.ch

Psychiatrische Dienste Aargau (PDAG) email-account phishing/spam-relay compromise (2026)

incident · incident:pdag-email-phishing-2026 single-source-victim

Individual @pdag.ch mailboxes at the Swiss cantonal psychiatric-care provider PDAG were compromised via phishing and abused to relay spam/phishing to external recipients; disclosed ~2026-07-08/09, accounts locked and all-staff passwords reset, no patient-data compromise confirmed (SwissCybersecurity.net, 2026-07-09).

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-09Psychiatrische Dienste Aargau (PDAG) email accounts compromised via phishing and abused to relay spam
    active-threatsSwiss cantonal psychiatric provider PDAG discloses phishing-driven takeover of staff mailboxes used to send outbound spam/phishing

Where this entity is cited

  • active-threats1

Source distribution

  • inside-it.ch1 (50%)
  • swisscybersecurity.net1 (50%)

Entries about Psychiatrische Dienste Aargau (PDAG) email-account phishing/spam-relay compromise (2026) (1)

2026-07-09 · view entry permalink →

NOTABLE

Psychiatrische Dienste Aargau (PDAG) email accounts compromised via phishing and abused to relay spam

Psychiatrische Dienste Aargau AG (PDAG), a Swiss cantonal psychiatric-care provider, disclosed that unauthorised parties gained access to individual @pdag.ch email accounts and abused them to send spam and phishing messages to external recipients (SwissCybersecurity.net, 2026-07-09; Inside IT, 2026-07-08). On discovery, PDAG locked the affected accounts immediately, reset passwords for all employees as a precaution, notified the competent cantonal and national authorities, and engaged internal and external IT-security experts plus its external ICT service provider to analyse and harden. By its current assessment the incident is limited to account misuse for outbound spam/phishing, with no indication that patient data was accessed or exfiltrated; the organisation is warning recipients about suspicious mail purporting to come from its domain.

No technical root cause — the initial-access vector into the mailboxes, whether MFA was enforced, or whether the takeover was via credential phishing or an OAuth consent grant — was disclosed, so the mechanism is unknown rather than assumed. The pattern maps to T1566 Phishing for the initial access and T1586.002 Compromise Accounts: Email Accounts for the takeover and downstream abuse.

incident09 Jul 12:28Zsingle-source · victim disclosureOpen finding ↗