back to article Phishing operation hits NHS email accounts to harvest Microsoft credentials

A phishing operation compromised over one hundred UK National Health Service (NHS) employees' Microsoft Exchange email accounts for credential harvesting purposes, according to email security shop Inky. During the phishing campaign, which began in October 2021 and spiked in March 2022, the email security firm detected 1,157 …

  1. msknight
    Joke

    Too little, too late.

    The NHS was already promised £350 million a day, and that never materialised. That was also painted on the side of a bus no less, not a paltry e-mail. Don't think many will fall for a poultry £2 mill.

    1. Anonymous Coward
      Anonymous Coward

      Re: Too little, too late.

      Throwing unlimited money at a problem won't fix it.

      1. Lazlo Woodbine

        Re: Too little, too late.

        Not giving them enough money to adequately run their day to day operations is even less likely to fit the NHS.

        Also, £350 million is not unlimited money, it quite clearly has a limit, that limit being £350 million...

        1. Anonymous Coward
          Anonymous Coward

          Re: Too little, too late.

          The problem isn't the amount of resources, it's the lack of joined up thinking, little empires and the divisions in the health services. NHS England is essentially hundreds of different little companies of various sizes. You won't get the savings or standards at scale as often as we should as so much of it is up to who wants to adopt, many things are not mandatory.

          1. Yet Another Anonymous coward Silver badge

            Re: Too little, too late.

            But a single monolithic NHS would be a dinosaur unable to respond in a modern hyped focus dynamic marketplace of best practice goal orientated driven solutions spaces.

            The crowd of management consultants that replaced all the actual consultants told me so.

            1. Anonymous Coward
              Anonymous Coward

              Re: Too little, too late.

              That's a very good point, so many fingers in the pie from large IT consultants trying to ensure joined up approach doesn't happen so they can keep selling at higher margins.

              Outside IT there are so many localised policies that the number of hours wasted in maintaining those each year must be enormous per trust when they could be a national policy adopted by all and maintained by a governance group of trusts and regions.

              1. Terry 6 Silver badge

                Re: Too little, too late.

                The NHS also has an enormous beauracratisation issue due to the mixture of internal markets and over-management. For example, clinicians already working ridiculously hard have to waste significant amount of time to record their activities, to prove they aren't, er, wasting time. Something that decent local team management could accomplish with considerably more efficiency.

          2. nichomach

            Re: Too little, too late.

            You don't get joined up thinking after a decade of balkanisation aimed at privatisation. That said, the NHS is starved of resources.

          3. TeeCee Gold badge
            Facepalm

            Re: Too little, too late.

            The serious problem is, right at the very top, it's run by Civil Servants.

            Who, by their very nature, care more about bureaucracy, form-filling, targets, getting backhanders from suppliers, ensuring they have a highly paid sinecure to retire to and enlarging their department than they do about health, patients, etc...

            1. batfink

              Re: Too little, too late.

              Really? And how many of those things don't apply to large private sector organisations?

              1. Terry 6 Silver badge

                Re: Too little, too late.

                Irrelevant. Private corporations aren't answerable to the public. The shareholders can do what they like.

                1. captain veg Silver badge

                  Re: Too little, too late.

                  So if it were run by the private sector, it would be worse, but profitable.

                  Nice.

                  -A.

        2. Anonymous Coward
          Anonymous Coward

          Re: Too little, too late.

          The NHS is a money pit. Its staff are >80% "administrative" with ~15% actually doing the clinical work of making ill people well again! I cannot fathom how they can spend £145000 pa on a "Diversity Manager".....

          If they got rid of 90% of their useless, expensive "Administrators", and the remainder worked on actually doing what the Health Service was set up to do, the UK would be a happier, healthier, wealthier place!

          1. Roj Blake Silver badge

            Re: Too little, too late.

            You are Sajid Javid, and I claim my £5

      2. Ken Moorhouse Silver badge

        Re: Throwing unlimited money at a problem won't fix it.

        What about a DDoS?

        (Distributed Deluge of Sterling).

    2. Anonymous Coward
      Anonymous Coward

      Re: Too little, too late.

      Thought that was £350 million (350 mega-quid?) a week?

      1. Yet Another Anonymous coward Silver badge

        Re: Too little, too late.

        It was £350 million for the NHS, £350 million funding for regions to make up for lost Eu funding and £350 million to pay for new customs facilities

        There was also an unknown £ million lost trade.

        Only one of this came true, and it wasn't painted on a bus

      2. Anonymous Coward Silver badge
        Facepalm

        Re: Too little, too late.

        Don't let facts get in the way of the anti-brexit rhetoric.

    3. Rufus McDufus

      Re: Too little, too late.

      The Theresa May government increased NHS funding by 390 million a week (the promise was never per day!) and the budget has increased a lot more since then.

      1. DF118

        Re: Too little, too late.

        Amazing she could do that even before the wonderful £350 million brexit dividend that was going to fund it.

    4. Roj Blake Silver badge

      Re: Too little, too late.

      A poultry £2M would certainly buy a lot of chickens

  2. Fading
    Headmaster

    To be fare (pun intended)...

    If we include Covid NHS funding the change from 2019 to 2020 (Jan-2020 being when "Brexit" happened) the funding increased from £149 billion to £191 billion so around an £800 million a week increase (https://www.kingsfund.org.uk/projects/nhs-in-a-nutshell/nhs-budget) so the promised £350 Million (a week - it was a week on the bus - https://jonworth.eu/the-two-versions-of-the-350-million-for-the-nhs-slogan/) was more than given.

    1. nichomach
      Mushroom

      Re: To be fare (pun intended)...

      The 350m was supposed to be financed by Brexit savings, so it emphatically was not given *from the source described*. Having our taxes increased to fund increases instead was not on the side of the bus. Also, "if we include Covid funding"? Pull the other one. Covid was a national emergency; in the same way that actually fighting a war isn't in the defence budget (it's funded by contingency funding from the Treasury) neither is a pandemic in the budget for the day to day running of the NHS. That's leaving aside that billions of that funding was trousered by Tory donors through unlawful contracts - and that was so blatant that the government doesn't dare appeal the verdict.

      1. Fading

        Re: To be fare (pun intended)...

        There was no source defined in the original comment. Whilst it was a national emergency the figures supplied to the NHS far exceeded the additional number on the side of the bus - and if the funding is continued as listed in the link I provided it will still exceed the £350M per week. Would they have done it without the emergency - well that's highly debatable.

        As it is, I'm not pulling anything merely providing links to the relevant figures. There are many many things to hit the current bunch of muppetised incumbents with but an outdated and superceded (circa 2016) political advert on the side of a bus isn't one of them.

  3. DF118

    Correction

    Last year, the NHS migrated its email service from an on-premises system to Microsoft Exchange Online, which "could have been a factor in the attack," Kay noted.

    That's factually incorrect.

    Apart from anything else, in UK terms there is no such thing as "The NHS", so to say that "The NHS" does anything as a monolithic unit is wrong straight out of the trap.

    Each NHS trust (or territorial/special health board in NHS Scotland) is responsible for its own email provision.

    For more than a decade many NHS organisations UK-wide chose to join consortia whereby email provision is done externally by companies such as Accenture (i.e. NHSMail2, which runs on Exchange). This practice has not been universal, but is very widespread and, as a system, NHSMail has been in place in some form or another for well over a decade.

    In truth, very few NHS orgs have been purely on-prem for their email for many years now. Even those which maintain on-prem provision also made use of externally provided systems such as NHSMail.

    NHS Scotland organizations have, since around autumn 2020, been migrating to M365/EXO from whatever they were using before (mostly NHSMail2). This is part of an overarching contract the Scottish Government has with Microsoft, which also covers other national public sector orgs in Scotland beyond NHSS. I'm not sure if something similar is happening in England & Wales, but if it is then it'd perhaps explain the first part of the statement above.

    1. AMBxx Silver badge

      Re: Correction

      Just a shame they didn't fix the email account names at the same time.

      My wife's account is first.last@nhs.net. Someone else has the same name, so has firstlast@nhs.net.

      Lots of email is sent to the wrong woman.

      1. Yet Another Anonymous coward Silver badge

        Re: Correction

        This is precisely why the NHS has to shrink. The odds of 2 people having the same name is inevitably high with a single payer national health service. While with the whole system replaced by G4S everyone would share a single AOL email

      2. EnviableOne

        Re: Correction

        be grateful she's not john.smith238@nhs.net or jonhsmith165 which both exist.

        they have the ability for organisation specific sub-domains, but its a "receive only" alias

        e.g. john.smith@<mytrust>.nhs.net

        the misdirected email thing is a huge issue

        but getting back to the story, it may be 136 NHSMail accounts, but its a wider O365 issue, that all orgs have to face, and NHS mail is too monolithic to handle

        1. AMBxx Silver badge

          Re: Correction

          It's not just NHS employees. My wife's an Optometrist, so not employed by NHS. She still gets the email account for (supposedly) secure communication with the email. I assume dentists and other private healthcare workers have an NHS address too. That's a lot of people!

    2. NeilPost Silver badge

      Re: Correction

      NHSMail .. provided by Accenture to the NHS Business Services Authority (NHSBA) … a monolithic central unit providing core shared services to Trusts etc across the devolved Nations (and England) use.

      https://www.nhsbsa.nhs.uk/

  4. Anonymous Coward
    Anonymous Coward

    I miss the old days when you used to get scams through the post. I especially liked the foreign lottery ones. I used to fill them out, write across it "Please take your admin fee out of my winnings" and send it back without a stamp.

    Didn't get too many of them for some reason.

  5. Semtex451

    Yawn

    NHSMail (nhs.net) is in very widespread use even by those Trusts that do not use it as their primary email, which often hybrid exchange. Phishing mail to nhs.net and nhs.uk mailboxes is at elevated levels since October, but dealing with it is BAU.

    I remind you that NHS staff are tired, busy folk. With phishing email becoming increasingly sophisticated, credentials will get shared. They always have and they always will be. That said detection is, in very large part, immediate and easily remedied.

    Where possible measures are being taken by Trusts and NHS Digital to prevent email containing suspicious links from arriving in mailboxes.

    The wider phishing problem is obvious to anyone with an email account or a device that can receive texts. The NHS is no different than you, or a bank, or any other service provider.

    So the article is a bit of a non-story, there is nothing new in it. Assuming the data is not already published, an FOI to NHS Digital will show that, as well as the historical peaks and troughs.

    1. NeilPost Silver badge

      Re: Yawn

      Hey who isn’t tired and overworked.

      As a NHSnet user, it’s completely against the AUP to share credentials … esp. as it’s a safe place to share healthcare, safeguarding and PREVENT information which has special consideration under GDPR.

  6. Anonymous Coward
    Anonymous Coward

    we saw a few of these emails, not on @nhs.net emails, so it might be that they had found there way out of that system and into 3rd parties that work close to the NHS, hardly surprising really.

    One that i investigated was a link to an 'encrypted' document PDF, if you clicked the link it took you to an "microsoft" log in page, which looked fairly good apart from the url, and the fact that the PDF had become and .xls

    Unfortunately in this instance, the user had already tried to access the file before reporting it to us, so, cue a lot of mail tracking, and contacting all the people that had then been spammed by this account, saying "for the love of Bob, don't open that link", and also a stern talk with the user in question and lots of password resets.

    1. Yet Another Anonymous coward Silver badge

      If your security response is 'don't open that link' you have fundamentally failed.

      Suppose the pharmacy distributed Smallpox to every member of staff and then sent a memo saying, don't open suspicious vials from the pharmacy.

      I bet you also regularly distribute security notices as attachments and .ly shortened links to online training where you need to login with your credentials to access.

      1. Boothy

        Ah yes, my company decided to use a 3rd party for security training a couple of years back.

        The training was hosted on the 3rd parties URL, and they'd integrated the login to their site with our company IDs. Thus requiring us to log into this 3rd party site, with our company credentials!

        None of this was communicated internally.

        Out of the blue, we all got emails direct from this 3rd party, asking us to click a link in the email, and log in using our company logins, in order to access the security training!

        The security team were apparently inundated by people reporting it as a Phishing attempt (I also reported it).

        They ended up sending out an internal email to clarify this wasn't a Phish, was actually real, and please stop reporting it!

        12 months later, still using the same 3rd party, they actually sent out an internal email first to warn people to expect the external email.

        Someone really should have got the sack, as this was just incompetence by design!

        I've no real issue with them using a 3rd party for the training, but they could have managed the notification email internally, and done something like pass though authentication from an internal company URL then redirect to the 3rd party URL, instead of asking people to log in directly to the 3rd party web site!

        1. Yet Another Anonymous coward Silver badge

          >They ended up sending out an internal email to clarify this wasn't a Phish, was actually real, and please stop reporting it!

          Which is of course precisely the sort of thing hackers would say

        2. captain veg Silver badge

          That's where I am.

          I have never ever shared my work email address with anyone outside of work.

          My employer gives it away to random third parties like sweeties. Microsoft, linkedin, slack, amazon, the list appears to be endless.

          And then, and this is the kicker, they get another third party to "test" us by sending "simulated" phishing emails. So that's another third party that they shared my PII with. In case anyone asks, I have never ever received a single phishing email other than those "tests".

          Given that I'm in France, I rather think that this PII sharing is illegal. We'll see.

          -A.

          1. Yet Another Anonymous coward Silver badge

            I suspect that even in France it's legal for your employer to share your work email address with potential customers

      2. Anonymous Coward
        Anonymous Coward

        original (well probably not, but you know what i mean) AC here

        security notices and .ly links in emails. No. Somewhere between generally not and never at all.

        maybe our response was too little too late sure, but if I had a vial from the pharmacy that I wasn't expecting and hadn't opened, then got a letter telling me not to, then I wouldn't.

        i'm genuinely interested though as to what you would have done differently.

        scenario...

        internal user receives dodgy email, clicks link, user is sent to dodgy page, enters credentials.

        that day, said users account is used to forward same dodgy email to 100+ external users.

        our action.

        disable user account while investigating further.

        contact those 100+ people to warn them that they will have received an email from this user.

        contact sender of original incoming email.

        would you have preferred us NOT to warn these external companies?

  7. Anonymous Coward
    Anonymous Coward

    Let's move ALL medical people to the one email system...

    ...what could possibly go wrong?

    1. NeilPost Silver badge

      Re: Let's move ALL medical people to the one email system...

      Yes I would think like my GP surgery ….. bugger all chance of being able to send them an E-mail or communicate in any way via the Patient Access App that interfaces to their Patient Administration System (PAS).

  8. Anonymous Coward
    Anonymous Coward

    The fake emails were sent using NHS mail relays

    "All of the fake emails were sent from two IP addresses used by the NHS, and the health agency confirmed that both were relays within the mail system used for a large number of accounts."

    Hang on, this sounds as though, once the spammers had acquired luser email account credentials, they were able to send mail using the NHS's own mail relays, which implies that the mail relays are accessible from outside the NHS network without requiring a (separately authenticated) VPN connection to actually be able to connect to, and (mis)use, the relays if working remotely (ie, from a location outwith the NHS network). Because you can always trust that someone presenting user credentials from outside your network is definitely who they say they are… Oh dear, that's not very clever. Defence in depth, people! (Or, that they were able to, uhh, worm their way onto a user's computer and send the emails from there, which is even more worrying…)

    1. captain veg Silver badge

      Re: The fake emails were sent using NHS mail relays

      Yes. Looks like someone sent some bad emails from inside the network.

      I somehow doubt that this requires any kind of hacking skills. Just wait for a public-facing staff member to disappear for a few minutes on a comfort break and use their PC for a bit.

      -A.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like