The U.K.’s National Health Service has been infected by a massive phishing campaign that resulted in hundreds of accounts on Microsoft 365 being compromised.

Detailed today by researchers by email security firm INKY Technology Corp., the phishing campaign was first detected in October, then escalated in March. The campaign used compromised NHS accounts to send phishing emails to unsuspecting third parties.

The researchers detected 1,157 phishing emails originating from NHSMail, the NHS email system for employees in England and Scotland. That may not seem like much, but it’s notable that INKY only detected attempts made on its customers, meaning that the actual number was likely much larger.

The NHS was migrated from an on-premises installation to Microsoft Exchange online last year, a possible factor in the attack. The phishing emails were all sent from two IP addresses, both used by the NHS, and passed email authentication for nsh.net, showing that the phishing campaign was using compromised NHS accounts.

Most of the phishing emails included fake document notifications with malicious links to credential-harvesting sites that targeted Microsoft credentials. Some of the emails impersonated Adobe and Microsoft by using their logo in the phishing emails. A few of the phishing emails are described as being advance-fee scams.

The phishing campaign mostly came to an end around April 19 as the NHS mitigated the incursion and compromised accounts after INKY contacted the NHS with its findings. That said, the researchers noted that there was still the occasional phishing email slipping through the net.

“We have processes in place to continuously monitor and identify these risks,” the NHS said in a statement. “We address them in collaboration with our partners who support and deliver the national NHSmail service.”

Noting that it found only 139 compromised accounts, the researchers say that given the vast number of NHS accounts, the percentage could still be expected to produce newly compromised accounts every day.

“Perhaps this is a moment to introduce the idea that phishing can be like a leak in the boat,” the researchers conclude. “It doesn’t matter that the hole is small. It will still sink the boat eventually. Even if only a few bad emails get through, with a malicious enough payload, a single successful attack can be life-altering.”

Photo: Elliott Brown/Flickr