NHS inboxes were hijacked to send 1000+ phishing emails

Email security firm Inky has found that more than 1000 phishing emails were sent from compromised National Health Service (NHS) inboxes over six months, starting from October 2021 and “dramatically” escalating in March 2022.

1157 phishing emails originated from NHSmail inboxes owned by 139 health service employees. Inky found that their official email accounts were individually compromised in the campaign to send out a variety of malicious messages.

The majority of the emails contained fake new document notifications, including malicious links to credential harvesting sites that preyed on Microsoft credentials. The emails had the NHS email footer at the bottom, some emails imitated Adobe and Microsoft by using their logos, and others were advance-fee scams.

The attacks, originating from NHSmail inboxes, dropped dramatically the next day after the firm reported its findings to the NHS on April 13, the firm claimed. However, Inky stated that the campaign’s scope could have been even larger since it had detected the phishing messages sent only to its customers.

In response to Inky’s findings, an official NHS statement claimed that the health service has processes in place to continuously monitor for such risks. According to the statement, NHS organizations will address them in collaboration with partners who support and deliver the national NHSmail service.

It’s unclear how the healthcare workers became infected in the first place, though according to a recent study by Comparitech, UK public sector workers may have clicked on as many as 58,000 suspicious links last year. Notably, NHS Digital had the highest number of malicious emails in 2021, with 89,353 malicious emails per employee.