For about six months, more than 100 National Health Service (NHS) employees in the United Kingdom had their email accounts used in various phishing attacks, some of which intended to steal Microsoft logins.

Malicious actors began using authentic NHS email accounts in October 2021 after hacking them, and they continued to do so until at least April 2022.

As stated by security experts at email security platform INKY, more than a thousand phishing email messages have been sent from National Health Service email accounts belonging to employees in England and Scotland.

The specialists discovered that the malicious messages came from two NHS IP addresses and were sent from 139 NHS employees’ email accounts. INKY found 1,157 phishing emails from the two addresses that were sent to its customers.

The NHS confirmed that the two addresses were relays within the mail system [NHSMail] used for a large number of accounts.


In most instances, the fraudulent emails sent out phony document delivery notifications that linked to bogus pages requiring Microsoft credentials. Also, the threat actors included a confidentiality disclaimer from the NHS at the bottom of the email to make it look authentic.

Some emails even posed as Adobe and Microsoft by using their logos in phishing emails.

The operations appear to have been broad in scope, and in addition to trying to snatch credentials, there have been some advanced-fee cases in which the adversary notified the receiver of a huge $2 million donation.

It should come as no surprise that receiving the money came at a cost to the target in the form of personal information such as full name, address, and mobile number.

When the author replied to a phish he received from this broad campaign, he got a reply from “Shyann Huels,” who purported to be Jeff Bezos’s secretary.


This name was seen in scams at the beginning of last month, and the person conducting the operation has a cryptocurrency wallet address that obtained approximately 4.5 bitcoins, which is currently worth around $171,000.

INKY has been in touch with the UK organization since they first spotted the phishing operation. The National Health ServiceService (NHS) tackled the threat in mid-April by migrating from on-premise Microsoft Exchange deployments to the cloud service.

Following this, the phishing didn’t completely stop as INKY clients kept receiving fraudulent messages, albeit less than before.

How Can Heimdal™ Help?

Heimdal Email Security will keep your inboxes clean and lean as it uses an entire array of technologies to detect and block spam, malware, and ransomware threats before they compromise your IT system through malicious emails. The advanced spam and malware filter Heimdal Email Security is also compatible with Heimdal Email Fraud Prevention, a module especially designed to combat the growing threat of Business Email Compromise (BEC) attacks.

With our Email Security module, your business and employees will be spared from:

  • The pervasive, evolving threat of phishing.
  • Email exploits & botnet attacks.
  • Unwanted content.
  • The again-growing threat of ransomware.
  • The frustration of having to click away through never-ending spam emails.
  • Botnet attacks through email.
  • Malicious links and attachments.
  • Emails coming from infected IPs and/or domains.
  • Advanced spam.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

What Is Email Security?

Phishing attacks explained: How it works, Types, Prevention and Statistics

Cryptocurrency Security: How to Safely Invest in Digital Currency

Leave a Reply

Your email address will not be published. Required fields are marked *