Threat Alert: NHS-Themed Lures Steal Microsoft Credentials 

• Cybercriminals have launched a series of phishing attacks using spoofed or compromised email accounts belonging to the National Health Service (NHS). 
• These emails, which appear to come from a NHS[.]net email address, use the subject line “YOU NEED TO SETTLE THIS.” A fully capitalized subject line like this is unlikely to come from an official government institution.   
• The lures contain a prompt to review an alleged DocuSign document. Clicking on the document leads to a lookalike login page for Microsoft 365 SharePoint and an overview of the document in question. 
• The overview mentions the document was scanned and is “100% virus free,” likely to convince recipients to log into the lookalike webpage to access the document.  
• The lookalike webpage instead harvests user’s Microsoft credentials. 
   

Key Actions (at Work and at Home) 

• Be aware of potential lookalike web pages. When downloading software from the internet or navigating to a login page, always look for signs of potential web page impersonation. Be sure to check the URL carefully. Some imposter sites use URLs that very closely resemble the legitimate URL.   
• Remember cybercriminals take advantage of strong emotions. An urgent email from a government institution regarding an unpaid invoice can be extremely stressful. Keep in mind cybercriminals seek to capitalize on moments of anxiety and the difficulty in thinking clearly in such situations.  
• Report ANY suspicious emails using the Phish Alarm button. Remember: Our organization occasionally sends phishing simulations.