Share this article on:
Threat actors are targeting IKEA employees in internal phishing attacks using stolen reply-chain emails.
IKEA is warning employees of an ongoing reply-chain phishing cyber attack targeting internal mailboxes, according to internal emails seen by BleepingComputer.
The emails are being sent from other compromised IKEA organisations and business partners resulting in other IKEA organisations, suppliers and business partners becoming compromised by the same attack, further spreading malicious emails to persons in Inter IKEA, as explained in an internal email sent to IKEA employees.
"This means that the attack can come via email from someone that you work with, from any external organisation and as a reply to an already ongoing conversations."
"It is therefore difficult to detect, for which we ask you to be extra cautious," the IKEA internal email concluded.
IKEA IT teams warn employees that the reply-chain emails contain links with seven digits at the end and shared an example email, as shown below.
Employees have been instructed to refrain from opening the emails, regardless of who sent these and to report the incident immediately on Microsoft Teams, ensuring the sender is noted in the report for the IT department to investigate.
Recently, threat actors have compromised internal Microsoft Exchange servers using the ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks.
Once threat actors gain access to a server, they use the internal Microsoft Exchange servers to perform reply-chain attacks against employees using stolen corporate emails.
As the emails are being sent from internal compromised servers and existing email chains, there is a higher level of trust that the emails are not malicious.
IKEA has disabled the ability for employees to release emails until the attack is resolved due to concern that recipients may release the malicious phishing emails from quarantine, thinking they were caught in filters by mistake.
"Our email filters can identify some of the malicious emails and quarantine them."
"Due to that the email could be a reply to an ongoing conversation, it's easy to think that the email filter made a mistake and release the email from quarantine."
"We are therefore until further notice disabling the possibility for everyone to release emails from quarantine," IKEA communicated to employees.
IKEA has not disclosed to employees whether internal servers were compromised and have yet to respond to media enquiries about the matter.
Attack used to spread Emotet or Qbot Trojan
According to BleepingComputer, the attack targeting IKEA is a redacted phishing email, based on URLs that have appeared in the internal emails in question.
When visiting these URLs, a browser will be redirected to a download called "charts.zip" that contains a malicious Excel document.
This attachment tells recipients to click the "Enable Content" or "Enable Editing" buttons to properly view it, as shown below.
Once those buttons are clicked, malicious macros will be executed that download files named "besta.ocx", "bestb.ocx", and "bestc.ocx" from a remote site and save them to the C:\Datop folder.
These OCX files are renamed DLLs and are executed using the regsvr32.exe command to install the malware payload.
Campaigns using this method have been seen installing the Qbot Trojan (aka QakBot and Quakbot) and possibly Emotet based on a VirusTotal submission found by BleepingComputer.
The Qbot and Emotet Trojans both lead to further network compromise and ultimately the deployment of ransomware on a breached network.
To prevent a greater disruption, IKEA is treating this security incident as a significant cyber attack due to the severity of infections and the high likelihood their Microsoft Exchange servers being compromised.
[Related: Meta removes 500 Facebook accounts linked to Chinese disinformation network]