Attackers hijack UK NHS email accounts to steal Microsoft credentials
For around six months, work email accounts belonging to more than 100 National Health System (NHS) employees in the UK were used in several phishing campaigns, some aimed at stealing Microsoft credentials.
Attackers started using legitimate NHS email accounts in October last year after hijacking them and continued to use them in phishing activities until at least April 2022.
More than a thousand phishing messages were sent from NHS email accounts belonging to employees in England and Scotland, according to email security researchers INKY.
The researchers tracked the fraudulent messages as coming from two NHS IP addresses, sent from the email accounts of 139 NHS employees. INKY detected 1,157 fraudulent e-mails to its customers from the two addresses.
“The NHS has confirmed that the two addresses are relays within the messaging system [NHSMail] used for a large number of accounts,” INKY said in a report today.
In most cases, the phishing messages sent false alerts for the delivery of new documents linked to fraudulent pages asking for Microsoft credentials.
To make the email more believable, the attackers added the NHS privacy warning to the bottom of the message.
In other samples collected by INKY researchers, the phishing message mimicked brands like Adobe and Microsoft by adding the companies’ logos.
The campaigns seem to have had a wide reach and in addition to attempting to steal credentials, there have been a few instances of advanced charges where the attacker informed of a massive donation of $2 million to the recipient.
Of course, the receipt of funds involved a cost for the potential victim in the form of personal data (eg full name and address, mobile phone number).
The reply to the message returned a response from someone using the name Shyann Huels and claiming to be “Mr. Jeff Bezos’ Special Secretary on International Affairs.”
The same name and message in the image above was seen in scams in early April and the individual behind the operation has a cryptocurrency wallet address that received around 4.5 bitcoins, from a current value of approximately $171,000.
INKY has been in contact with the NHS since they discovered the phishing campaign. The UK agency addressed the risk after mid-April by moving from on-premises Microsoft Exchange deployments to the cloud service.
However, this decision put an end to phishing altogether, as INKY customers continued to receive fraudulent messages, albeit in much smaller numbers.
This was due to the fact that the NHS provided infrastructure to tens of thousands of organizations (hospitals, clinics, providers, medical practices) in the country that rely on various technical solutions.
Roger Kay, vice-president of security strategy at INKY, points out that these campaigns are not the result of a breach of the NHS mail server “but rather of individually hacked accounts”.