The NCSC is investigating an automated, ongoing, widespread credential-harvesting phishing campaign currently affecting the UK.

The campaign has been active since at least July 2018 through various iterations, with a recent spike in reports to the NCSC in early October 2019. It appears to be spreading indiscriminately across a very broad range of UK sectors.

The user receives a phishing email from a legitimate and known email account which has been compromised. Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email.

More recently, the subject lines include the compromised user’s address-book entry for the recipient of the phishing email. This could be in the recipient’s name, the email address or may just be blank.

The recent iteration of these phishing emails consists of a black ellipsis with a grey highlighted background and a single sentence underneath containing a hyperlink. There are some slight variations in the sentence wording but the four structures currently prevalent include:


  • Notification received Open notification.
  • Notification received View notification.
  • Notification clipped Open notification.
  • Notification clipped View notification.

Below is an example screenshot of the current phishing email:Previous versions of this campaign have included a red, green or blue-coloured button containing text variations of ‘view the message’, prompting the previous name for this campaign ‘RGB’ or ‘Red/Green/Blue Button Phishing Campaign’.If the user clicks on the hyperlink, a spoofed login webpage appears, which includes the victim organisation’s logo and email address, as well as a password entry form, as shown below. This page is based on the recipient’s domain.The NCSC is aware that victim accounts have been compromised without a user actually entering any credentials. It is possible that the actor has used password spraying to gain access.Following compromise, the actors access the accounts remotely (via IMAP) to monitor the victim mailbox and observe the sent items. The account is then accessed a second time to disseminate this phishing email further (via SMTP), using the victim’s address book identified in the previous access.

The domains and URIs used in these campaigns appear to follow patterns of key words. New words are added over time.

The following RegEx, based on the URIs used, may help detect the emails:
[?][0-9a-zA-Z\-\'\.]{1,30}[=][0-9a-zA-Z\-\'\.]{1,30}[_-][0-9a-f]{32}\bThe NCSC recommends checking all results for false positives.

The accompanying .csv file contains list of domains associated with this campaign.The filenames and associated file hashes below are also associated with the campaign:
main.f6ad0723.chunk.css 9aeee4106abdff31934b6f719ba0a049c9105c8620b21b80041a45413a27920f
1.dd3f77a8.chunk.js 12236c9905b8c01a2ab7e80125675946b1ba528084e3aaad2bf1e3b3430c5753
main.62c34469.chunk.js ff3f8f2d365d6d17d2838fdd4f2f1e6b434c3ed069d19063f79b720c22d66f8c

To report an ongoing incident associated with this campaign to the NCSC, please visit here.

Where possible, scan emails for links which match the RegEx in this report. These emails should be flagged as potentially malicious and investigated. Scan web logs to identify if users have visited domains or associated filenames which match the patterns provided. Where malicious activity has been detected, inspect mail servers to understand how the emails have propagated, and to identify the IP addresses from which the emails were sent.

The NCSC recommends resetting passwords of affected accounts affected as soon as possible, ensuring that the new password follows a strong password policy. Password guidance from the NCSC can be found here.


The NCSC strongly recommends turning off legacy authentication protocols if you are using Office 365, due to the use of legacy protocols in this campaign. A guide to how to do this can be found here.

Further guidance on securing your organisation’s use of Office 365 can be found on our website. The NCSC also recommends the use of Multi-Factor Authentication (MFA) with Office 365 and across your estate as well as educating your users to this campaign, as well as wider spear phishing emails. MFA is only effective in mitigating the type of credential theft seen in this campaign if legacy authentication protocols are disabled. See the relevant NCSC guidance below.Multi-factor authentication for online servicesSetting up two-factor authenticationSecuring Office 365 with better configurationTo further secure the compromised accounts, it may be prudent to revoke and reconfigure tokens used for authentication within Office 365. Further guidance on token configuration can be found here.

The NCSC strongly recommends notifying Microsoft’s Cyber Security Team at secure@microsoft.com, quoting the details of your findings in relation to this incident. Where possible, giving Microsoft permission to share their findings relating to your organisation with the NCSC, enabling all parties to understand and mitigate this threat together.

Further to the above, the NCSC guidance linked below could assist more generally: