Mass credential harvesting phishing campaign active in the UK

The NCSC is investigating an automated, ongoing, widespread credential-harvesting phishing campaign currently affecting the UK. The campaign has been active since at least July 2018 through various iterations, with a recent spike in reports to the NCSC in early October 2019. It appears to be spreading indiscriminately across a very broad range of UK sectors.

n this campaign, the user receives a phishing email from a legitimate and known email account which has been compromised. Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email.
More recently, the subject lines include the compromised user’s address-book entry for the recipient of the phishing email. This could be in the recipient’s name, the email address or may just be blank.

The recent iteration of these phishing emails consists of a black ellipsis with a grey highlighted background and a single sentence underneath containing a hyperlink. There are some slight variations in the sentence wording but the four structures currently prevalent include:

  • Notification received Open notification.
  • Notification received View notification.
  • Notification clipped Open notification.
  • Notification clipped View notification.

Below is an example screenshot of the current phishing email:

Previous versions of this campaign have included a red, green or blue-coloured button containing text variations of ‘view the message’, prompting the previous name for this campaign ‘RGB’ or ‘Red/Green/Blue Button Phishing Campaign’.

If the user clicks on the hyperlink, a spoofed login webpage appears, which includes the victim organisation’s logo and email address, as well as a password entry form, as shown below. This page is based on the recipient’s domain.

The NCSC is aware that victim accounts have been compromised without a user actually entering any credentials. It is possible that the actor has used password spraying to gain access.

Following compromise, the actors access the accounts remotely (via IMAP) to monitor the victim mailbox and observe the sent items. The account is then accessed a second time to disseminate this phishing email further (via SMTP), using the victim’s address book identified in the previous access.


The domains and URIs used in these campaigns appear to follow patterns of key words. New words are added over time. The following RegEx, based on the URIs used, may help detect the emails:


The NCSC recommends checking all results for false positives.

Indicators of compromise

The filenames and associated file hashes below are also associated with the campaign:


Almost 700 domains are listed, you can view the domains IOC list here.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: