NHS email accounts hijacked for phishing campaign

More than 130 NHS email accounts were hijacked for a credential harvesting phishing operation targeting Microsoft users, although true scope of the attack is unknown.

During the phishing campaign – which started in October 2021 and escalated dramatically in March 2022 – cloud-based security platform Inky detected 1,157 phishing emails originating from NHSMail, which was migrated from an on-premise installation to Microsoft Exchange Online in February 2021.

All of the phishing emails passed email authentication for nhs.net, and were sent from two IP addresses used by the NHS, which confirmed that the two addresses were relays within the mail system used for a large number of accounts.

The majority of the emails were fake new document notifications with malicious links to credential harvesting sites, which were specifically seeking information from Microsoft 365 users.

Inky noted that although the phishing emails originated from email accounts belonging to 139 NHS employees, the true scope of the attack could have been much larger as it’s data analysts only detected the phishing attempts made on its own customers. 

It added that despite the 139 compromised accounts representing “only a few ten-thousandths of one percent of the total” number of accounts, nhs.net serves tens of millions of individual email users and provides infrastructure for around 27,000 organisations, meaning this lowly number could still be expected to produce a few newly compromised accounts every day.

“Perhaps this is a moment to introduce the idea that phish can be like a leak in the boat. It doesn’t matter that the hole is small, it will still sink the boat eventually,” it said in a blog post.

“Even if only a few bad emails get through, with a malicious enough payload, a single successful attack can be life-altering. The NHS has been lucky so far. Credential harvesting by itself is small potatoes. But, of course, those credentials can be recycled in subsequent attacks with more dangerous results.”

Inky reported its initial findings to the NHS on 13 April, which took immediate action, leading to a significant reduction in the volume of attacks by the next day. By 19 April, Inky said it had mostly stopped receiving phishing reports from the NHS domain.

Between Inky and the NHS, it was determined that the breach was not a compromised mail server, but rather the result of individually hijacked accounts.

“We have processes in place to continuously monitor and identify these risks. We address them in collaboration with our partners who support and deliver the national NHSmail service,” said the NHS in response to Inky’s findings.

“NHS organisations running their own email systems will have similar processes and protections in place to identify and coordinate their responses, and call upon NHS Digital assistance, if required.”

On top of credential harvesting and hijacked accounts, the attackers also used logos and trademarks to impersonate well-known brands (including Microsoft and Adobe) to make the emails appear legitimate. All emails also had the NHS email footer at the bottom.

In terms of mitigations, Inky said users should always carefully check a sender’s email address, as well as scrutinise any links by hovering over them.

“Most emails in this campaign claimed to be from Adobe or Microsoft, but nhs[.]net is not an Adobe or Microsoft domain. The links in them did not belong to these organisations, either,” it said.

“Recipients should also be cautious with unfamiliar new document notifications and decline to respond to or click any links in an email from a sender who has never been in touch before.”

NHS Digital relaunched its cyber security awareness campaign in October 2021 to help staff across the health service understand more about current security threats, as well as how to reduce their overall risk of being compromised.

The online toolkit can be downloaded for free to help health sector organisations learn more about “common sense” security practice and the impact that good security hygiene can have on patient safety. It includes guidance on setting secure passwords, locking devices when not in use, and spotting and mitigating phishing, email scams and social engineering attacks, among other things.

In the past few years, various requests made under the Freedom of Information Act by third parties have shown that the NHS has seen a reduction in the number of phishing emails it receives, fewer ransomware incidents, and has improved its security staffing levels. As of the end of 2020, it employed twice as many in-house security practitioners as it did in 2018.