HomeTechnologyNewsAttackers hijack UK NHS email accounts to steal Microsoft logins

Attackers hijack UK NHS email accounts to steal Microsoft logins

- Advertisement -
- Advertisement -
- Advertisement -
- Advertisement -

[ad_1]

For about half a year, work email accounts belonging to more than 100 NHS employees in the UK were used in various phishing campaigns, some aiming to steal Microsoft logins. .

Attackers began using legitimate NHS email accounts in October last year after hijacking them and continued to use them in phishing activities until at least April 2022.

National Health Service

More than a thousand phishing messages have been sent from NHS email accounts belonging to employees in England and Scotland, according to INKY email security researchers.

Phishing volume using hijacked email accounts of NHS employees
font: INK

Investigators traced the fraudulent messages as coming from two NHS IP addresses, delivered from the email accounts of 139 NHS employees. INKY detected 1,157 fraudulent emails from its customers originating from the two addresses.

“The NHS confirmed that the two addresses were repeaters within the mail system. [NHSMail] used for a large number of accounts,” INKY said in a report today.

In most cases, the phishing messages sent false alerts for new document delivery that linked to fraudulent pages requesting Microsoft credentials.

To make the email more credible, the attackers added the NHS confidentiality disclaimer at the bottom of the message.

Phishing message using an NHS employee's email account
font: INK

In other samples INKY researchers collected, the phishing message impersonated brands like Adobe and Microsoft by adding company logos.

The campaigns appear to have had a wide reach, and in addition to attempting to steal credentials, there have been a few advanced fee cases where the attacker reported a massive $2 million donation to the recipient.

Of course, receiving the funds came at a cost to the potential victim in the form of personal data (eg full name and address, mobile phone number).

Replying to the message returned a reply from someone using the name Shyann Huels and claiming to be “Mr. Jeff Bezos’ special secretary for International Affairs.”

Advanced fee scam using NHS employee email
font: INK

The same name and message in the image above have been seen in scams in early April and the individual behind the operation has a cryptocurrency wallet address that received around 4.5 bitcoins, currently worth around $171,000.

INKY has been in contact with the NHS since they discovered the phishing campaign. The UK agency addressed the risk after mid-April by switching from on-premises Microsoft Exchange deployments to the cloud service.

However, the move stopped phishing altogether as INKY customers continued to receive fraudulent messages, albeit in much smaller numbers.

This was because the NHS provided an infrastructure for tens of thousands of organizations (eg hospitals, clinics, providers, doctors’ offices) across the country that rely on various technical solutions.

Roger Kay, vice president of security strategy at INKY, stresses that these campaigns are not the result of the breach of the NHS email server “but of accounts hijacked individually”.

[ad_2]

- Advertisement -
- Advertisement -
Must Read
- Advertisement -
Related News
- Advertisement -