More than 130 NHS email accounts have been hijacked for a phishing phishing operation aimed at Microsoft users, although the true extent of the attack is unknown.
During the phishing campaign – which began in October 2021 and escalated dramatically in March 2022 – the cloud-based security platform Inky discovered 1,157 phishing emails from NHSMail that had migrated from a local installation to Microsoft Exchange Online in February. 2021
All phishing emails passed email authentication for nhs.net and were sent from two IP addresses used by the NHS, which confirmed that both addresses are relays within the mail system used for a large number of accounts.
Most of the emails were fake notifications of new documents with malicious links to credential collection sites that specifically sought information from Microsoft 365 users.
Inky noted that although phishing emails originated from email accounts belonging to 139 NHS employees, the true scope of the attack could have been much greater, as data analysts found only phishing attempts made on its own customers.
He added that despite 139 compromised accounts, representing “only a few tens of thousands of one percent of the total” number of accounts, nhs.net serves tens of millions of individual email users and provides infrastructure for about 27,000 organizations, which means this low number can still be expected to create several newly compromised accounts each day.
“Maybe this is the time to introduce the idea that the slip can be like a leak in a boat. It doesn’t matter that the hole is small, it will sink the boat in the end, “the newspaper said blog post.
“Even if only a few bad emails pass, with enough malicious payload, a successful attack can change lives. The NHS has been lucky so far. The harvest itself is small potatoes. But, of course, these credentials can be recycled in subsequent attacks with more dangerous results. “
Inky announced its initial findings to the NHS on April 13, which took immediate action, leading to a significant reduction in the volume of attacks by the next day. By April 19, Inky said it had stopped receiving phishing reports from the NHS domain in most cases.
Between Inky and NHS, it was found that the breach was not a compromised mail server, but rather the result of individually hijacked accounts.
“We have processes in place to continuously monitor and identify these risks. We are turning to them in collaboration with our partners who support and deliver the national NHSmail service, “NHS said in response to Inky’s findings.
“NHS organizations working with their own email systems will have similar processes and protections in place to identify and coordinate their responses and to turn to NHS digital assistance if necessary.
In addition to collecting credentials and hijacking accounts, attackers also used logos and trademarks to impersonate well-known brands (including Microsoft and Adobe) to make emails look legitimate. All emails also have the footer of the NHS email at the bottom.
In terms of mitigation, Inky said users should always carefully check the sender’s email address, as well as carefully check all links by holding the mouse cursor over them.
“Most of the emails in this campaign claimed to be from Adobe or Microsoft, but nhs[.]net is not an Adobe or Microsoft domain. The links in them also do not belong to these organizations, “the statement said.
“Recipients should also be wary of unfamiliar notifications of new documents and refuse to respond to or click on links in an email from a sender who has never been in a relationship before.”
NHS Digital renewed its cybersecurity awareness campaign in October 2021 to help healthcare professionals learn more about current security threats and how to reduce their overall risk of compromising.
Online tools can be downloaded for free to help healthcare organizations learn more about common sense security practices and the impact that good security hygiene can have on patient safety. It includes guidelines for setting secure passwords, locking devices when not in use, and detecting and mitigating phishing, email fraud, and social engineering attacks, among other things.
Over the last few years, various requests under the Freedom of Information Act from third countries have shown that the NHS has seen a reduction in the number of phishing emails it receives, fewer ransomware software incidents and improved its staffing levels. security. By the end of 2020, it had hired twice as many security staff as in 2018.