IKEA Struck by Email Reply-Chain Cyberattack!

IKEA Struck by Email Reply-Chain Cyberattack!

UPDATED: As of Tues., IKEA declined to say whether the cyber-attack was still ongoing. IKEA warned employees last Fri. that an ongoing cyber-attack was using internal emails to malspam malicious links in active email threads.

As of Fri. – shopping Black Friday – retail giant IKEA was dealing with a then-ongoing reply-chain email phishing attack in which attackers were mal-spamming replies to stolen email threads.

Warned Employees

Bleeping Computer got a look at an internal notice that warned employees of the attack, which was targeting the company’s internal email inboxes. The phishing emails were coming from internal IKEA email addresses, as well as from the systems compromised at the company’s suppliers & partners.

“There is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, & business partners are compromised by the same attack & are further spreading malicious emails to persons in Inter IKEA.

External Organisation

“This means that the attack can come via email from someone that you work with, from any external organisation, & as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.” –IKEA internal email to employees.

113021 10:22 UPDATE: An IKEA spokesperson explained that the company “takes the matter seriously.”

As of Tues. morning, the company had not seen any evidence of its customers’ data, or business partners’ data, having been compromised.

Internal Defence

“We continue to monitor to ensure that our internal defence mechanisms are sufficient,” the spokesperson stated, adding that “Actions have been taken to prevent damages” & that “a full-scale investigation is ongoing.”

The spokesperson outlined that the company’s “highest priority” is that “IKEA customers, co-workers & business partners feel certain that their data is secured & managed correctly.”

IKEA did not respond to queries about whether the attack has been contained or if it is still ongoing.

Example Phishing Email

IKEA sent its employees an example phishing email, shown below, that was received in Microsoft Outlook. The company’s IT teams reportedly pointed out that the reply-chain emails contain links ending with 7 digits.

Employees were warned against opening the emails, regardless of who sent them, & were asked to immediately report the phishing emails to the IT department if they receive them.

Exchange Server Attacks Familiar

The attack sounds familiar: Earlier this month, Trend Micro published a report about attackers who were doing the same thing with replies to hijacked email threads.

The attackers were focusing on the Proxy Logon & Proxy Shell vulnerabilities in Microsoft Exchange Server to hijack email chains, by mal-spamming replies to ongoing email threads & hence boosting the chance that their targets would click on malicious links that lead to malware infection.

Malspam Campaigns

As security experts have noted, hijacking email replies for malspam campaigns is an effective way to get past people’s spam suspicions & to avoid getting flagged or quarantined by email gateways.

What was still under discussion at the time of the Trend Micro report: Whether the attack was delivering Squirrel Waffle, the new email loader that showed up in Sept., or whether Squirrel Waffle was just 1 piece of malware among several that the campaigns were dropping.

Cisco Talos researchers 1st heard of the Squirrel Waffle malspam campaigns beginning in mid-Sept., when they saw booby-trapped Microsoft Office documents delivering Qakbot malware & the penetration-testing tool Cobalt Strike – 2 of the most common threats regularly observed targeting organisations around the world.

Infected Systems

The Office documents infected systems with Squirrel Waffle in the initial stage of the infection chain.

Squirrel Waffle campaigns are known for using stolen email threads to increase the chance that a victim will click on malicious links. Those rigged links are put into an email reply, similar to how the virulent Emotet malware – typically spread via malicious emails or text messages – has been known to work.

Trend Micro’s incident-response team had decided to look into what its researchers believed were Squirrel Waffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious, often-picked-apart Proxy Logon & Proxy Shell Exchange server vulnerabilities.


Their conclusion: Yes, the intrusions were linked to Proxy Logon & Proxy Shell attacks on unpatched Exchange servers, as evidenced by the IIS logs of 3 compromised servers, each compromised in a separate intrusion, all having been exploited via the Proxy Shell & Proxy Logon vulnerabilities CVE-2021-26855CVE-2021-34473 & CVE-2021-34523.

In the Middle East campaign that Trend Micro analysed, the phishing emails contained a malicious Microsoft Excel doc that did what malicious Excel documents do: It prompted targets to choose “Enable Content” to view a protected file, thus launching the infection chain.

More Similarities

Since IKEA has not responded to inquiries, it is impossible to say for sure whether or not it has suffered a similar attack. However, there are yet more similarities between the IKEA attack & the Middle East attack analysed by Trend Micro earlier this month.

Specifically, as Bleeping Computer reported, the IKEA reply-email attack is likewise deploying a malicious Excel document that similarly instructs recipients to “Enable Content” or “Enable Editing” to view it.

You Cannot Trust Email from ‘Someone You Know’

It is easy to mistake the malicious replies as coming from legitimate senders, given that they pop-up in ongoing email threads. Saryu Nayyar, CEO of Gurucul, noted that IKEA employees are learning the hard way that replies in threads are not necessarily legitimate, & can be downright malicious.

“If you get an email from someone you know, or that seems to continue an ongoing conversation, you are probably inclined to treat it as legitimate,” she explained on Mon.

“However, IKEA employees are finding out otherwise. They are being attacked by phishing emails that are often purportedly from known sources & may be carrying the Emotet or Qbot trojans to further infect the system & network.”

This attack is “particularly insidious,” she commented, in that it “seemingly continues a pattern of normal use.”

No Ignoring Quarantine

With such “normal use” patterns lulling would-be victims into letting down their guards, it raises the possibility that employees might assume that email filters were mistaken if they quarantined the messages.

Thus, IKEA’s internal email advised employees that its IT department was disabling the ability to release emails from quarantine. As it is, its email filters were identifying at least some of the malicious emails:

“Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it is easy to think that the email filter made a mistake & release the email from quarantine.

We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.” –IKEA internal email to employees.

Training – a Waste of Time?

With such tricky attacks as these, is training pointless? Some say yes, some say no.

Erich Kron, Security Awareness Advocate at KnowBe4, is pro-training, particularly given how damaging these attacks can be.

“Compromised email accounts, especially those from internal email systems with access to an organisation’s contact lists, can be very damaging, as internal emails are considered trusted & lack the obvious signs of phishing that we are used to looking for,” he explained on Mon.

Legitimate Account

“Because it is from a legitimate account, & because cyber-criminals often inject themselves into previous legitimate conversations, these can be very difficult to spot, making them very effective.

“These sorts of attacks, especially if the attackers can gain access to an executive’s email account, can be used to spread ransomware & other malware or to request wire transfers to cyber-criminal-owned bank accounts, among other things,” Kron stated.

He suggested training employees not to ‘blindly’ trust emails from an internal source, but to ‘hover’ over links & to consider the context of the message.

Pick up the Phone

“If it does not make sense or seems unusual at all, it is much better to pick up the phone & quickly confirm the message with the sender, rather than to risk a malware infection or falling victim to a scam,” he observed.”

In contrast, Christian Espinosa, MD of Cerberus Sentinel, is a firm vote for the “training is pointless” approach.

“It should be evident by now that awareness & phishing training is ineffective,” he cautioned on Mon. “It’s time we accept users will continuously fall for phishing scams, despite how much ‘awareness training’ we put them through.”


What options do we have? Espinosa suggested that cyber-security defence playbooks “should focus on items that reduce risk, such as application whitelisting, which would have stopped this attack, as the ‘malware’ would not be whitelisted.”

He pointed to other industries that have compensated for human factors, such as transportation. “Despite awareness campaigns, the transportation industry realised that many people did not ‘look’ before turning across traffic at a green light,” Espinosa stated.

Green Arrow

“Instead of blaming the drivers, the industry changed the traffic lights. The newer US lights prevent drivers from turning across traffic unless there is a green arrow.”

This change saved 1,000s of lives, he concluded, & it is high time that the cyber-security industry similarly “takes ownership.”