During March and April the NHS was embroiled in a phishing campaign – however the NHS was not the target – 139 compromised NHS email accounts were being used to send the phishing emails to external targets. Coming from legitimate NHS email addresses on NHS servers meant the emails would pass many validation checks and be more likely to arrive in their victims inboxes.
The campaign is detailed in a new research blog post from email security firm Inky. According to the report, the majority of the emails sent were fake document notifications containing links to credential harvesting sites targeting Microsoft Office365 users.
This campaign highlights the risks to firms if their own staffs email accounts are compromised and used by criminals for malicious activity:
Loss of Confidence: potential customers and business partners may be wary of working with a supplier who appears to have lax cybersecurity in their supply chain.
Financial Liability: It is not hard to imagine a victim who experienced financial loss trying to gain compensation from the organisation who sent the emails – in this case the NHS.
For the recipients of the phishing emails, Security Awareness Training for staff is key. In this campaign, even though the emails were sent from legitimate NHS email accounts, the content of the email did not match up – as they pretended to be from Microsoft and Adobe – so there was a mismatch between the senders domain name and the content of the email. Training your staff to spot this discrepancy will help protect your network from ransomware and phishing attacks.