NHS Hit By Account Takeover Attack Exploiting Legitimate Employee Accounts To Hijack for User Credentials

Researchers at INKY have released a new report which uncovers an account takeover attack exploiting the The National Health Service (NHS) in the UK. As the host for any government entity in the UK, this attack is systemically hitting thousands from legitimate email accounts.

These emails are presenting fake new document notifications with malicious links to credential harvesting sites that targeted Microsoft credentials. 

Starting in October 2021 and escalating dramatically in March 2022, INKY detected 1,157 phishing emails originating from NHSMail, the NHS email system for employees based in England and Scotland. Last year, this service was migrated from an on-premise installation to Microsoft Exchange Online. This migration, with its changed security environment, could have been a factor in the attack. 

We reported our initial findings to the NHS on April 13, and as of April 14, the volume of attacks decreased dramatically, as the NHS took measures to stop them. However, INKY users were still receiving a few phishing emails from the NHS mail domain (nhs[.]net) after that time. 

You can read the full report here and it is very much worth reading so that you are on top of this attack campaign.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: