Phishing lures also abuse the Microsoft and DocuSign brands
Proofpoint Threat Intelligence Services (PTIS) has identified a series of credential phishing attacks aimed at
harvesting Microsoft credentials.
These attacks use either spoofed or compromised email accounts belonging to the National Health Service (NHS), with the lures originating from an NHS[.]net email address. The lures, which use the subject line “YOU NEED TO SETTLE THIS,” contains a fake DocuSign prompt to review a document allegedly about an overdue invoice.
Following the prompt leads to a lookalike Microsoft site designed to steal user credentials.
These lures target users in the United Kingdom. While the email sending address may appear genuine, the fully capitalized email subject line is highly unusual for a government email.