Over a period beginning last fall and continuing into April, the National Health Service (NHS) of the United Kingdom fell prey to a large phishing operation. What had been sporadic use of legitimate NHS accounts to send phishing emails to unsuspecting third parties became a massive campaign in March.
The true scope of the attack could have been much larger, as INKY detected only those attempts made on our customers. But given how many we found, it’s safe to say that the total iceberg was much bigger than the tip we saw.
INKY shared its findings with the NHS, which sent the following response:
“We have processes in place to continuously monitor and identify these risks. We address them in collaboration with our partners who support and deliver the national NHSmail service.
"NHS organisations running their own email systems will have similar processes and protections in place to identify and coordinate their responses, and call upon NHS Digital assistance if required."
Between background statements by the NHS and our investigations, we were able to determine that the breach was not a compromised mail server but rather individually hijacked accounts.
As of April 19, INKY mostly stopped receiving phishing reports from the NHS domain, likely due to the messaging team’s efforts to mitigate the incursion. One exception was the author, who received a simple request to reply to a Gmail account, sent from the NHS domain. Our data analysts found a few others scattered about our user base.
Starting in October 2021 and escalating dramatically in March 2022, INKY detected 1,157 phishing emails originating from NHSMail, the NHS email system for employees based in England and Scotland. Last year, this service was migrated from an on-premise installation to Microsoft Exchange Online. This migration, with its changed security environment, could have been a factor in the attack.
We reported our initial findings to the NHS on April 13, and as of April 14, the volume of attacks decreased dramatically, as the NHS took measures to stop them. However, INKY users were still receiving a few phishing emails from the NHS mail domain (nhs[.]net) after that time.
Graph of NHS phish sent per month
During the study period, the phishing emails originated from email accounts that belonged to 139 NHS employees.
INKY data analysts validated the email accounts via two methods:
Search results confirmed the identity of NHS employees with compromised accounts
Example of SMTP ping results
All phishing emails were sent from two IP addresses (213.161.89.71 and 213.161.89.103) used by the NHS. They also passed email authentication for nhs.net. The NHS confirmed that the two addresses were relays within the mail system used for a large number of accounts.
All phishing emails authenticated to nhs.net
The majority were fake new document notifications with malicious links to credential harvesting sites that targeted Microsoft credentials. All emails also had the NHS email footer at the bottom.
Sample phishing email with NHS footer
Some emails impersonated Adobe and Microsoft by using their logos in phishing emails.
Example of an Adobe impersonation
A few were advance-fee scams.
Advance-fee scam example
When the author replied to a phish he received from this broad campaign, he got a reply from “Shyann Huels,” who purported to be Jeff Bezos’s secretary. Apparently, he was the lucky recipient of $2 million (for a small handling fee).
As to the question of why there might still be a few phishes slipping through the net, even after the NHS took steps to mitigate this campaign, the answer might be found in the numbers. The NHS is a national organization in Great Britain, and as such, it has tremendous scope. Not only does nhs[.]net serves tens of millions of individual email users, it also provides an infrastructure for 27,000 organizations, each with its own technology staff. These organizations include hospitals, clinics, doctor’s offices, public bodies, suppliers, services, social-care organizations, and many other related entities.
We found 139 compromised accounts, which may sound like a lot, but that number represents only a few ten-thousandths of one percent of the total. Given the huge number of NHS accounts, this tiny percentage could still be expected to produce a few newly compromised accounts every day.
Perhaps this is a moment to introduce the idea that phish can be like a leak in the boat. It doesn’t matter that the hole is small. It will still sink the boat eventually. Even if only a few bad emails get through, with a malicious enough payload, a single successful attack can be life-altering. The NHS has been lucky so far. Credential harvesting by itself is small potatoes. But, of course, those credentials can be recycled in subsequent attacks with more dangerous results.
Email users should always check a sender’s email address carefully and scrutinize any links in an email by hovering over them. Most emails in this campaign claimed to be from Adobe or Microsoft, but nhs[.]net is not an Adobe or Microsoft domain. The links in them did not belong to these organizations, either.
Recipients should also be cautious with unfamiliar new document notifications and decline to respond to or click any links in an email from a sender who has never been in touch before.
Ready to see INKY in action? Request a free trial or a demo today.
----------------------
INKY is an award-winning, cloud-based email security solution developed to proactively eliminate phishing emails and malware while simultaneously providing real-time assistance to employees handling suspicious emails so they can make safer decisions. INKY’s patented technology incorporates sophisticated computer vision, machine learning models, social profiling, and stylometry algorithms to effectively sanitize emails, rewrite malicious links, detect and block security threats, mitigate sender impersonation, and more. Cost-effective and powerful, the INKY platform was developed for mobile-first IT organizations and works seamlessly on any device, operating system, and mail client. Learn more about INKY™ or request an online demonstration today.