Work email accounts belonging to approximately 100 workers of the National Health System (NHS) in the United Kingdom were exploited in various phishing efforts for almost half a year, some of which aimed to obtain Microsoft login information. After capturing authentic NHS email accounts in October of last year, attackers began employing them in phishing attacks that lasted until at least April 2022.
According to experts from email security firm INKY, over a thousand phishing mails have been sent from NHS email accounts belonging to personnel in England and Scotland. The researchers discovered that the fabricated communications originated from two NHS IP addresses transmitted from 139 NHS staff’s email accounts. INKY found 1,157 fake emails from the two addresses sent to its clients.
“The NHS confirmed that the two addresses were relays within the mail system [NHSMail] used for a large number of accounts,” INKY said in a report.
In most cases, the phishing emails sent out phony document delivery warnings that led to fake Microsoft login sites. The attackers inserted the NHS confidentiality disclaimer at the bottom of the email to make it more convincing. In other examples acquired by INKY researchers, the phishing message imitated firms such as Adobe and Microsoft by including their logos.
Apart from attempting to steal credentials, the campaigns appear to have been extensive in reach, with a few advanced-fee cases where the attacker told the receiver of a hefty $2 million payment. Receiving the money, of course, came at a cost to the potential victim in the form of personal data like full name and address, mobile number, etc.
Someone responding to the mail named Shyann Huels and claimed to be “the special secretary to Mr. Jeff Bezos on International Affair Matters.” The identity and message in the image above were used in frauds in early April, and the person behind it has a cryptocurrency wallet address that received roughly 4.5 bitcoins, which are presently worth approximately $171,000.
Since the phishing campaign was uncovered, INKY has contacted the NHS. After mid-April, the UK agency mitigated the risk by migrating from on-premise Microsoft Exchange deployments to the cloud service. However, the measure did not entirely stop the phishing, as INKY clients continued to receive fake emails, albeit in reduced numbers.
This was owing to the NHS providing an infrastructure for tens of thousands of companies across the country that rely on multiple technology solutions (hospitals, clinics, suppliers, doctor’s offices). According to Roger Kay, INKY’s Vice President of Security Strategy, these operations are not the result of a breach of NHS’ email system “but rather individually hijacked accounts.”