Reporting Cyber Threats

If you receive an email that you suspect to be spam, or suspect may be an attempt to spoof or phish your account, it is extremely important that you report this to the NHSmail helpdesk.

You will NEVER legitimately be asked to provide your NHSmail credentials to anyone. Do not respond to or follow any links within an email that asks you for your login details. If you receive an email asking you for your NHSmail account credentials, please report it following the instructions below.

If you have responded in any way to any such email, please contact your Local IT service desk immediately and report it to them in the first instance. They will be able to provide initial support and advice on further actions, such as password changes.

To report suspicious emails, please see it below the option relevant to your domain:

1. nhs.net: Use the Microsoft shield icon located at the top navigation menu of your Microsoft Outlook desktop app or Outlook Web App (OWA).
2. *.nhs.uk: Follow the guidance below to provide a copy of the message in a suitable format to the SpamReports mailbox.

nhs.net: Reporting threats with the Microsoft shield icon in Microsoft Outlook or OWA

1. Select the suspect email from your email list
2. At the top navigation menu select ‘Report’, then ‘Report Phishing’ or ‘Report Junk’
3. A pop-up box will appear confirming your choice. Select ‘OK’ if using Microsoft Outlook or ‘Report’ if using OWA

This is an example for Microsoft Outlook:

This is an example for OWA:

*.nhs.uk: Reporting threats to the SpamReports mailbox

In order for the service to efficiently process your spam report please ensure that you have attached a copy of the offending email in .eml or .msg format. This must be attached directly from your mailbox (not from a forward or copy). The guidelines below explain how to do this and report it to: spamreports@nhs.net.

If you have already attached a copy of the spam mail in the correct format, and it has been taken directly from the recipient’s mailbox, then it will be uploaded to the spam filters for blocking. Please allow up to 48 hours for this blocking process to take effect. No further correspondence will be required.

Reporting threats with Microsoft Outlook desktop app

Forward the email to spamreports@nhs.net as an attachment for virus analysis and central trend monitoring:

1.  Select the suspect email from your email list
2.  In the Outlook ribbon in the respond area, select ‘More’ and then select ‘Forward as Attachment’
3.  In the email window that opens add spamreports@nhs.net as the recipient in the ‘To’ field
4. Click ‘Send’

Reporting threats with Outlook Web App (OWA)

Follow the instructions below to report the email you suspect is spam in Outlook Web App (https://email.nhs.net/owa).

1. Open the email you wish to report (be careful not to click on any links or attachments).
2. Click on the three dots on the right-corner of the email message, select ‘Other reply actions’, then ‘Forward as attachment’
3. Type spamreports@nhs.net into the ‘To’ field
4. Edit the subject line with the appropriate text. Note: It is recommended that you use spam, phishing or malicious depending on the type of email you are reporting
5. Click ‘Send’

Reported messages will be sent to Microsoft for analysis. For more information please see guidance from Microsoft here.

Reporting Targeted Threats and Suspected Compromised NHS Accounts

Certain malicious emails warrant further assessment by NHS England’s National CSOC, such as:

• Emails that appear to have been sent by a compromised nhs.net or nhs.uk account.
• Phishing emails that appear highly-targeted in nature, such as impersonation of a senior NHS individual, NHS organisation, or supplier.
• Emails that appear to be engaging in mandate fraud.
• Emails that are making specific threats related to NHS cyber security.

If you receive such an email, please report it to the CSOC by emailing cybersecurity@nhs.net.

Please do not report generic spam to CSOC. NHSmail and Microsoft are best placed to handle this as outlined in the guidance above.