Over a period beginning last fall and continuing into April, the National Health Service (NHS) of the United Kingdom fell prey to a large phishing operation. What had been sporadic use of legitimate NHS accounts to send phishing emails to unsuspecting third parties became a massive campaign in March.
The true scope of the attack could have been much larger, as INKY detected only those attempts made on our customers. But given how many we found, it’s safe to say that the total iceberg was much bigger than the tip we saw.
INKY shared its findings with the NHS, which sent the following response:
“We have processes in place to continuously monitor and identify these risks. We address them in collaboration with our partners who support and deliver the national NHSmail service.
"NHS organisations running their own email systems will have similar processes and protections in place to identify and coordinate their responses, and call upon NHS Digital assistance if required."
Between background statements by the NHS and our investigations, we were able to determine that the breach was not a compromised mail server but rather individually hijacked accounts.
As of April 19, INKY mostly stopped receiving phishing reports from the NHS domain, likely due to the messaging team’s efforts to mitigate the incursion. One exception was the author, who received a simple request to reply to a Gmail account, sent from the NHS domain. Our data analysts found a few others scattered about our user base.
Quick Take: Attack Flow Overview
- Type: phishing
- Vector: emails sent from NHS servers
- Payload: credential harvesting links
- Techniques: brand impersonation, credential harvesting, hijacked accounts
- Platform: Microsoft 365
- Target: Microsoft 365 users
The Attack
Starting in October 2021 and escalating dramatically in March 2022, INKY detected 1,157 phishing emails originating from NHSMail, the NHS email system for employees based in England and Scotland. Last year, this service was migrated from an on-premise installation to Microsoft Exchange Online. This migration, with its changed security environment, could have been a factor in the attack.
We reported our initial findings to the NHS on April 13, and as of April 14, the volume of attacks decreased dramatically, as the NHS took measures to stop them. However, INKY users were still receiving a few phishing emails from the NHS mail domain (nhs[.]net) after that time.
Graph of NHS phish sent per month
During the study period, the phishing emails originated from email accounts that belonged to 139 NHS employees.
INKY data analysts validated the email accounts via two methods:
- LinkedIn profiles and NHS staff directory links confirmed that these accounts belonged to real NHS employees.
Search results confirmed the identity of NHS employees with compromised accounts
- Pinging the SMTP server drew replies of “250 OK,” establishing that the email addresses existed. Although our spot checks were statistical rather than exhaustive, we got a “250 OK” response for every email that we checked.
Example of SMTP ping results
All phishing emails were sent from two IP addresses (213.161.89.71 and 213.161.89.103) used by the NHS. They also passed email authentication for nhs.net. The NHS confirmed that the two addresses were relays within the mail system used for a large number of accounts.
All phishing emails authenticated to nhs.net
The majority were fake new document notifications with malicious links to credential harvesting sites that targeted Microsoft credentials. All emails also had the NHS email footer at the bottom.
Sample phishing email with NHS footer
Some emails impersonated Adobe and Microsoft by using their logos in phishing emails.
Example of an Adobe impersonation
A few were advance-fee scams.
Advance-fee scam example
When the author replied to a phish he received from this broad campaign, he got a reply from “Shyann Huels,” who purported to be Jeff Bezos’s secretary. Apparently, he was the lucky recipient of $2 million (for a small handling fee).
Broader Implications
As to the question of why there might still be a few phishes slipping through the net, even after the NHS took steps to mitigate this campaign, the answer might be found in the numbers. The NHS is a national organization in Great Britain, and as such, it has tremendous scope. Not only does nhs[.]net serves tens of millions of individual email users, it also provides an infrastructure for 27,000 organizations, each with its own technology staff. These organizations include hospitals, clinics, doctor’s offices, public bodies, suppliers, services, social-care organizations, and many other related entities.
We found 139 compromised accounts, which may sound like a lot, but that number represents only a few ten-thousandths of one percent of the total. Given the huge number of NHS accounts, this tiny percentage could still be expected to produce a few newly compromised accounts every day.
Perhaps this is a moment to introduce the idea that phish can be like a leak in the boat. It doesn’t matter that the hole is small. It will still sink the boat eventually. Even if only a few bad emails get through, with a malicious enough payload, a single successful attack can be life-altering. The NHS has been lucky so far. Credential harvesting by itself is small potatoes. But, of course, those credentials can be recycled in subsequent attacks with more dangerous results.
Recap of Techniques
- Brand impersonation — uses brand logos and trademarks to impersonate well-known brands.
- Credential harvesting — occurs when a victim thinks they are logging in to one of their resource sites but are in fact entering credentials into a dialogue box owned by the attackers.
- Hijacked accounts — are used by phishers to make their emails appear to come from legitimate senders
Best Practices: Guidance and Recommendations
Email users should always check a sender’s email address carefully and scrutinize any links in an email by hovering over them. Most emails in this campaign claimed to be from Adobe or Microsoft, but nhs[.]net is not an Adobe or Microsoft domain. The links in them did not belong to these organizations, either.
Recipients should also be cautious with unfamiliar new document notifications and decline to respond to or click any links in an email from a sender who has never been in touch before.
Ready to see INKY in action? Request a free trial or a demo today.
----------------------
INKY is an award-winning, cloud-based email security solution developed to proactively eliminate phishing emails and malware while simultaneously providing real-time assistance to employees handling suspicious emails so they can make safer decisions. INKY’s patented technology incorporates sophisticated computer vision, machine learning models, social profiling, and stylometry algorithms to effectively sanitize emails, rewrite malicious links, detect and block security threats, mitigate sender impersonation, and more. Cost-effective and powerful, the INKY platform was developed for mobile-first IT organizations and works seamlessly on any device, operating system, and mail client. Learn more about INKY™ or request an online demonstration today.