2 min

Cybercriminals hacked into the mail system of the UK’s National Health Service. Breached employee accounts are used to send phishing mails.

There are signs of a scandal. The incident wasn’t reported by the National Health Service (NHS). It took an independent security provider to break the news. INKY provides mail security services. In October 2021, some of its customers reported phishing mails coming in from NHSMail, the NHS’ mail system. In March 2022, the number of reports skyrocketed.

INKY registered a total of 1,157 phishing emails originating from hacked NHS accounts. INKY only has insight into emails received by its customers. Therefore, the total number of phishing emails is likely to be many times higher.

INKY contacted the NHS, prompting reports to decrease from 19 April 2022 onwards. “Likely due to efforts to mitigate the incursion”, shared a spokesperson.

All phishing emails were sent from two IP addresses, both owned by the NHS. The largest campaigns have been repelled, but reports are still coming in. According to INKY, some NHS accounts likely remain compromised. Most of the phishing emails tried to route victims to fake Microsoft websites for credential theft.

Scandalous

The NHS is an enormous, state-backed enterprise. It’s remarkable that it took an independent investigation to break the news. The NHS does not seem to be aware of any wrongdoing. “We have processes in place to continuously monitor and identify these risks”, the organization stated. “We address them in collaboration with our partners who support and deliver the national NHSmail service.”

The problem with trusted IPs

Phishing emails from trusted mail addresses are particularly dangerous. The reason is twofold. First, a cybercriminal appears legitimate to a victim. The sender’s email address is identical to a legitimate address, meaning even the most careful recipients can be deceived. Secondly, the mail bypasses all spam filters. The IP addresses of the NHS are typically trusted, meaning even automated security tools can’t guarantee detection.

Tip: Zscaler observed nearly 880 million phishing attacks in 2021