Skip links

Phishing operation hits NHS email accounts to harvest Microsoft credentials

A phishing operation compromised over one hundred UK National Health Service (NHS) employees’ Microsoft Exchange email accounts for credential harvesting purposes, according to email security shop Inky.

During the phishing campaign, which began in October 2021 and spiked in March 2022, the email security firm detected 1,157 phishing emails originating from NHSMail accounts that belonged to 139 NHS employees in England and Scotland.

“The true scope of the attack could have been much larger, as Inky detected only those attempts made on our customers,” the company’s VP of Security Strategy Roger Kay wrote in a blog post. “But given how many we found, it’s safe to say that the total iceberg was much bigger than the tip we saw.”

Inky analysts determined the breach saw individual accounts hijacked and found no sign of a compromised mail server. The miscreants used the compromised accounts to send scam emails to third-parties in attempts to harvest Microsoft credentials and, in a few cases, trick recipients into sending money via advance-fee scams.

Last year, the NHS migrated its email service from an on-premises system to Microsoft Exchange Online, which “could have been a factor in the attack,” Kay noted.

All of the fake emails were sent from two IP addresses used by the NHS, and the health agency confirmed that both were relays within the mail system used for a large number of accounts.

After reporting its initial findings to the NHS on April 13, the volume of attacks “decreased dramatically” on April 14, according to Kay. 

An NHS spokesperson declined to provide details about measures the government agency took to stop the phishing campaign, but noted: “The increase in phishing across all sectors has been well-reported.”

“We have processes in place to continuously monitor and identify these risks. We address them in collaboration with our partners who support and deliver the national NHSmail service,” the spokesperson told The Register. “NHS organizations running their own email systems will have similar processes and protections in place to identify and coordinate their responses, and call upon NHS Digital assistance, if required.”

The majority of the phishing emails were fake new document notifications with malicious links to credential harvesting site. All of the emails had the NHS email footer at the bottom, Kay noted.

Some impersonated Adobe and Microsoft by using the companies’ logos.

And a few were advance-fee scams. As Kay described:

Although 139 email accounts represents a very small number of the total user base of NHSMail — just “a few ten-thousandths of one percent of the total,” Kay noted, it’s significant because NHS is a national organization with a very large scope, Kay said. 

Its nhs[.]net domain serves “tens of millions” of email users, and provides infrastructure for 27,000 organizations including hospitals, health clinics, social-work organizations, suppliers and others.

And while credential harvesting is “small potatoes,” as far as attacks go, “those credentials can be recycled in subsequent attacks with more dangerous results,” Kay wrote. ®