Cyber Incident Victim: National Health Service

Between October 2021 and April 2022, attackers compromised over 100 email accounts belonging to employees of the United Kingdom's National Health Service (NHS) across England and Scotland. These hijacked accounts were used to send fraudulent emails from two NHS IP addresses, with researchers from email security firm INKY detecting 1,157 malicious messages during this six-month period. The phishing campaigns primarily impersonated document delivery notifications containing links to credential harvesting pages designed to steal Microsoft account logins. Attackers enhanced the credibility of these messages by appending legitimate NHS confidentiality disclaimers to the emails and incorporating corporate branding elements from companies like Adobe and Microsoft in some variants.

A secondary scheme involved advanced-fee fraud attempts where recipients were falsely informed of a $2 million donation from Jeff Bezos, requiring victims to provide personal information including full names, addresses, and phone numbers to receive the funds. Replies to these messages were answered by an individual using the alias "Shyann Huels," who claimed affiliation with Bezos's office. Blockchain analysis revealed a cryptocurrency wallet associated with this persona received approximately 4.5 bitcoins (valued at $171,000 at the time of reporting). INKY notified NHS about the ongoing campaigns, prompting the organization to migrate from on-premise Microsoft Exchange servers to cloud-based email services by mid-April 2022. This transition reduced but did not eliminate phishing activity due to NHS's complex technical infrastructure supporting thousands of healthcare providers and suppliers across the UK. The incident stemmed from individual account compromises rather than a systemic breach of NHS email servers, with attackers maintaining persistent access to legitimate accounts for months to distribute phishing messages.