UK Home Office Phishing Campaign Targeting Visa Sponsor Licence Holders

12 August 2025

By Samantha Clarke, Hiwot Mendahun, Ankit Gupta and Mimecast Threat Research Team

Campaign Overview

The Mimecast Threat Research team has identified an active phishing campaign targeting UK organizations with sponsor licence privileges through Home Office impersonation tactics. This campaign represents a significant threat to the UK immigration system, with attackers seeking to compromise access to the Sponsorship Management System (SMS) for extensive financial and data exploitation. The threat actors deploy fraudulent emails impersonating official Home Office communications, typically sent to general organizational email addresses with urgent warnings about compliance issues or account suspension. These messages contain malicious links that redirect recipients to convincing fake SMS login pages designed to harvest User IDs and passwords.

Attack Methodology

The campaign follows a systematic approach beginning with phishing emails that closely mimic legitimate Home Office notifications. Recipients are presented with urgent messages claiming new SMS notifications or system alerts requiring immediate attention. The emails direct users to fraudulent login pages that capture authentication credentials when entered.

Technical analysis reveals the use of captcha-gated URLs as an initial filtering mechanism, followed by redirection to the phishing pages that closely replicate the authentic SMS interface. The threat actors demonstrate advanced understanding of government communication patterns and user expectations within the UK immigration system.

The phishing page is a highly convincing clone of the legitimate UK Home Office SMS login page, achieved through direct copying of HTML, hotlinking of official assets, and minimal but critical changes to the form submission process.

• Legitimate Page
  

  <form id="smslogin" method="post" action="j_security_check">

• Phishing Page
  

  <form id="smslogin" method="post" action="sms.php">

This is a major red flag, as it indicates credentials are being sent to an attacker-controlled script rather than the legitimate authentication system.

Criminal Monetization Strategy

Once SMS credentials are compromised, threat actors can pursue multiple monetization paths. Primary objectives include selling access to compromised accounts on dark web forums, facilitating fraudulent Certificate of Sponsorship (CoS) issuance, and conducting extortion schemes against affected organizations.

The most lucrative exploitation involves creating fake job offers and visa sponsorship schemes, with threat actors charging victims between £15,000-£20,000 for non-existent employment opportunities. This approach leverages the compromised sponsor accounts to create seemingly legitimate visa documentation that supports elaborate immigration fraud schemes.

Mimecast Protection

Mimecast has implemented comprehensive detection capabilities to identify and block emails associated with this Home Office impersonation campaign. We continue monitoring for evolving tactics and techniques used by these threat actors to ensure our customers remain protected against this sophisticated threat.

Targets:

UK organizations holding sponsor licences across all industries and sectors, with particular focus on companies actively managing visa sponsorship programs and regular SMS system users.

Indicators of Compromise (IOCs)

Common Subject Lines:

• A new message has been posted to your Sponsorship Management System
• Message Notification from SMS
• New Message in Your UKVI Account
• New Message Notification
• Notification from UKVI
• SMS System Notification
• System Notification – Action Required
• UKVI Secure Message
• UKVI Secure Notification
• You Have a New Message
• You Have a New SMS Account Notification
• You have received a new message
• You've Received a New Message

Malicious URLs:

• hxxps://hkrd[.]site/points.homeoffice.gov.uk.gui-sms-jsf.home.SMS-003-Home.faces
• hxxps://www.slcpi[.]org/points.homeoffice.gov.uk-uk-visas-and-immigration-gov.uk.points.homeoffice.gov.uk
• hxxps://sinsense[.]jp/gov.uk-visas-and-immigration-gov.uk.points.homeoffice.gov.uk
• hxxps://casting-one[.]jp/uk-visas-and-immigration-gov.uk.points.homeoffice.gov.uk
• hxxps://alfonzorivas[.]com/uk-visas-and-immigration-gov.uk.points.homeoffice.gov.uk

Recommendations

Email Security Controls

• Deploy advanced email security capabilities that can detect government impersonation attempts and suspicious URL patterns
• Implement URL rewriting and sandboxing to analyze links before user interaction

Access Management

• Establish multi-factor authentication for all SMS system access to prevent credential-based compromises
• Implement regular credential rotation policies for users with SMS system access
• Monitor SMS account activity for unauthorized access patterns or unusual login locations

User Awareness Training

• Educate sponsor licence holders on authentic Home Office communication channels and official email domains
• Conduct regular phishing simulations that specifically test recognition of government impersonation tactics
• Train users to verify urgent compliance notifications through official Home Office channels before taking action

Organizational Control

Establish verification procedures for all SMS-related communications, requiring secondary confirmation through official channels

• Create incident response protocols for suspected SMS account compromise, including immediate credential changes and Home Office notification
• Implement segregation of duties for sponsor licence management to prevent single-point-of-failure scenarios

Proactive Threat Hunting:

• Search email logs for messages containing any matching subjects or URLs listed in this notification.