National Cyber Security Centre
Printable version

Alert: Mass credential harvesting phishing campaign active in the UK

The NCSC is investigating an automated, ongoing, widespread credential-harvesting phishing campaign currently affecting the UK


The NCSC is investigating an automated, ongoing, widespread credential-harvesting phishing campaign currently affecting the UK. The campaign has been active since at least July 2018 through various iterations, with a recent spike in reports to the NCSC in early October 2019. It appears to be spreading indiscriminately across a very broad range of UK sectors.


In this campaign, the user receives a phishing email from a legitimate and known email account which has been compromised. Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email.
More recently, the subject lines include the compromised user’s address-book entry for the recipient of the phishing email. This could be in the recipient’s name, the email address or may just be blank.

The recent iteration of these phishing emails consists of a black ellipsis with a grey highlighted background and a single sentence underneath containing a hyperlink. There are some slight variations in the sentence wording but the four structures currently prevalent include:

  • Notification received Open notification.
  • Notification received View notification.
  • Notification clipped Open notification.
  • Notification clipped View notification.

Below is an example screenshot of the current phishing email:

Previous versions of this campaign have included a red, green or blue-coloured button containing text variations of ‘view the message’, prompting the previous name for this campaign ‘RGB’ or ‘Red/Green/Blue Button Phishing Campaign’.

If the user clicks on the hyperlink, a spoofed login webpage appears, which includes the victim organisation’s logo and email address, as well as a password entry form, as shown below. This page is based on the recipient’s domain.

The NCSC is aware that victim accounts have been compromised without a user actually entering any credentials. It is possible that the actor has used password spraying to gain access.

Following compromise, the actors access the accounts remotely (via IMAP) to monitor the victim mailbox and observe the sent items. The account is then accessed a second time to disseminate this phishing email further (via SMTP), using the victim’s address book identified in the previous access.


The domains and URIs used in these campaigns appear to follow patterns of key words. New words are added over time. The following RegEx, based on the URIs used, may help detect the emails:


The NCSC recommends checking all results for false positives.

Indicators of compromise

The accompanying .csv file contains list of domains associated with this campaign.

The filenames and associated file hashes below are also associated with the campaign:







Further information

To report an ongoing incident associated with this campaign to the NCSC, please visit here


Where possible, scan emails for links which match the RegEx in this report. These emails should be flagged as potentially malicious and investigated. Scan web logs to identify if users have visited domains or associated filenames which match the patterns provided. Where malicious activity has been detected, inspect mail servers to understand how the emails have propagated, and to identify the IP addresses from which the emails were sent.

The NCSC recommends resetting passwords of affected accounts affected as soon as possible, ensuring that the new password follows a strong password policy. Password guidance from the NCSC can be found here

The NCSC strongly recommends turning off legacy authentication protocols if you are using Office 365, due to the use of legacy protocols in this campaign. A guide to how to do this can be found here.

Further guidance on securing your organisation’s use of Office 365 can be found on our website

The NCSC also recommends the use of Multi-Factor Authentication (MFA) with Office 365 and across your estate as well as educating your users to this campaign, as well as wider spear phishing emails. MFA is only effective in mitigating the type of credential theft seen in this campaign if legacy authentication protocols are disabled. See the relevant NCSC guidance below.

Multi-factor authentication for online services

Setting up two-factor authentication

Securing Office 365 with better configuration

To further secure the compromised accounts, it may be prudent to revoke and reconfigure tokens used for authentication within Office 365. Further guidance on token configuration can be found here.

The NCSC strongly recommends notifying Microsoft’s Cyber Security Team at, quoting the details of your findings in relation to this incident. Where possible, giving Microsoft permission to share their findings relating to your organisation with the NCSC, enabling all parties to understand and mitigate this threat together.

Further to the above, the NCSC guidance linked below could assist more generally:


Alert: Mass credential harvesting phishing campaign active in the UK

The NCSC is investigating an automated, ongoing, widespread credential-harvesting phishing campaign currently affecting the UK

CSV: Credential harvesting domains

Known domains associated with this campaign.

Channel website:

Original article link:

Share this article

Latest News from
National Cyber Security Centre