Skip to main content

Zombie Phishing Campaign

Zombie Phish is a newly observed phishing campaign that is using compromised email accounts to target users via conversation hijacking.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Zombie Phish is a newly observed phishing campaign that is using compromised email accounts to target users via conversation hijacking.


Threat details

The attackers operating Zombie Phish are replying to historic email threads with a malicious link which is hidden behind an "error" message. Automatically generated URLs are being utilised to evade detection. At the time of publication, use of the .icu top-level domain has been observed in the malicious links.

Zombie Phish aims to steal credentials by redirecting users who click the links to a spoof login page. These pages have been observed to include official organisation logos to add the appearance of legitimacy.


Remediation steps

Type Step

Users are encouraged to report any incidents of emails received from compromised accounts within their organisation to their local administrator. Additionally:

  • A robust program of education and awareness training should be delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All day-to-day computer activities such as email and internet should be performed using non-administrative accounts.
  • Multi-factor authentication should be considered to further protect user accounts.

For further information on email best practice, see How to Identify Malicious Communications Within the NHS, Reporting Suspicious, Unsolicited or Spam Emails Within the NHS and the NHSmail Cyber Security Guide.


Last edited: 11 January 2022 4:03 pm