IKEA is experiencing a cyberattack, with criminals utilizing stolen company emails to target staff through internal phishing attempts.
IKEA Email Gets Hacked!
Cyberattackers have stolen authentic company emails and are now responding with links attached to a malicious document. Once the recipient clicks on the attached link, it installs malware on the receiver's devices in a reply-chain email attack, per Bleeping Computer.
Since the reply-chain emails appear to be authentic corporate emails and are frequently sent from hacked email accounts and internal servers, users are more likely to trust the sender and open the infected documents.
In an internal email circulating online, IKEA is notifying its staff about an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. Moreover, the company's other organizations, as well as business partners, are also affected by the IKEA email hack.
"There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organizations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," as noted in the the internal email acquired by Bleeping Computer.
In addition to the IKEA cyberattack, the internal email explained to everyone that the assault may come in the form of an email from a coworker, an external organization, or a response to an existing dialogue. As a result, it is difficult to identify. With that being stated, the company requested every employee to exercise additional caution.
Furthermore, IKEA IT staff informed the employee that the reply-chain emails contain URLs that end in seven numbers. Employees were also instructed not to open the emails, regardless of who sent them and to report them to the IT department as soon as possible.
How Does the IKEA Email Hack Work?
In order to launch phishing attacks, cyberattackers started utilizing the ProxyShell and ProxyLogin vulnerabilities to access internal Microsoft Exchange servers.
To give much clarity, Huntress stated that cybercriminals use ProxyShell to act as an absolute administrator account, in which they have access to remote code execution, giving them the power to run any commands and choose any programs.
Meanwhile, cyberattackers use ProxyLogin to remotely execute code on the target server from anywhere in the globe with an internet connection.
After hackers acquire access to a server, they utilize internal Microsoft Exchange servers to launch reply-chain attacks against employees using stolen company emails.
Since these emails are being sent from within hacked systems and existing email chains, there is a higher level of trust that the emails are not infected.
There is also a possibility that receivers would unintentionally release the harmful phishing emails from spam folders, in which they think that these were trapped in filters by accident. As a result, employees will not be able to send or receive emails until the incident is fixed.
"Our email filters can identify some of the malicious emails and quarantine them. Due to that, the email could be a reply to an ongoing conversation, it's easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine," IKEA informed its employees.
IKEA is considering this security issue as a severe cyberattack, which might possibly lead to a considerably more destructive attack, since it penetrated their Microsoft Exchange servers.