NHS email accounts hacked for phishing campaign
More than 130 NHS email accounts have been hacked in a credential harvesting phishing operation targeting Microsoft users, although the true scope of the attack is unknown.
During the phishing campaign – which began in October 2021 and escalated significantly in March 2022 – cloud-based security platform Inky detected 1,157 phishing emails from NHSMail, which were migrated from an on-premises installation to Microsoft Exchange Online in February 2021.
All phishing emails passed email authentication for nhs.net and were sent from two IP addresses used by the NHS, which confirmed that both addresses were relays within the system mail used for a large number of accounts.
The majority of the emails were fake notifications of new documents containing malicious links to credential harvesting sites, which specifically sought information from Microsoft 365 users.
Inky noted that although the phishing emails came from email accounts belonging to 139 NHS staff, the true reach of the attack could have been much greater as its data analysts only detected attempts to phishing carried out on its own customers.
He added that despite the 139 compromised accounts representing “only a few ten thousandths of one percent of the total number” of accounts, nhs.net serves tens of millions of individual email users and provides infrastructure for around 27,000 organizations. , which means that this low number could still be expected to produce a few new compromised accounts every day.
“Maybe it’s time to introduce the idea that phishing can be like a leak in the boat. It doesn’t matter how small the hole is, it will still sink the boat eventually,” he said. stated in a blog post.
“Even if only a few bad emails arrive, with a sufficiently malicious payload, a single successful attack can be life-changing. The NHS has been lucky so far. The certificate harvest itself is a small But, of course, those credentials can be recycled in later attacks with more dangerous results.
Inky reported his initial findings to the NHS on April 13, which took immediate action, leading to a significant reduction in the volume of attacks the following day. On April 19, Inky said he had virtually stopped receiving phishing reports from the NHS domain.
Between Inky and the NHS, it was determined that the breach was not a compromised email server, but rather the result of individually hacked accounts.
“We have processes in place to continuously monitor and identify these risks. We deal with them in conjunction with our partners who support and deliver the national NHSmail service,” the NHS said in response to Inky’s findings.
“NHS organizations that run their own messaging systems will have similar processes and protections in place to identify and coordinate their responses, and call on digital NHS assistance, if needed.”
In addition to harvesting credentials and hacked accounts, the attackers also used logos and trademarks to impersonate well-known brands (including Microsoft and Adobe) to give the impression that e -emails are legitimate. All emails also had the NHS email footer at the bottom.
In terms of mitigation, Inky said users should always check a sender’s email address carefully, as well as scrutinize all links by hovering over them.
“Most of the emails in this campaign claimed to be from Adobe or Microsoft, but nhs[.]net is not an Adobe or Microsoft domain. The links they contain do not belong to these organizations either,” he said.
“Recipients should also be cautious with notifications of new unknown material and refuse to reply to or click on links in an email from a sender who has never been in contact before.”
NHS Digital relaunched its cybersecurity awareness campaign in October 2021 to help staff across health services better understand current security threats, as well as how to reduce their overall risk of being compromised.
The online toolkit is free to download to help healthcare organizations learn more about ‘common sense’ safety practices and the impact good safety hygiene can have on safety. patients. It includes guidance on setting secure passwords, locking down devices when not in use, and detecting and mitigating phishing, email scams, and social engineering attacks, among others.
Over the past few years, various requests made under the Freedom of Information Act by third parties have shown that the NHS has seen a reduction in the number of phishing emails it receives, fewer incidents ransomware and improved its levels of security personnel. At the end of 2020, it employed twice as many in-house security professionals as in 2018.