Level 26
Top poster
Sep 13, 2018

Excerpt from BC article:

IKEA dealing with an ongoing attack​

In internal emails seen by BleepingComputer, IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.
"There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," explained an internal email sent to IKEA employees and seen by BleepingComputer.
"This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious."
Internal email sent to IKEA employees
Internal email sent to IKEA employees
IKEA IT teams warn employees that the reply-chain emails contain links with seven digits at the end and shared an example email, as shown below. In addition, employees are told not to open the emails, regardless of who sent them, and to report them to the IT department immediately.
Recipients are also told to tell the sender of the emails via Microsoft Teams chat to report the emails.
Example phishing email sent to IKEA employees
Example phishing email sent to IKEA employees
Threat actors have recently begun to compromise internal Microsoft Exchange servers using the ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks.
Once they gain access to a server, they use the internal Microsoft Exchange servers to perform reply-chain attacks against employees using stolen corporate emails.
As the emails are being sent from internal compromised servers and existing email chains, there is a higher level of trust that the emails are not malicious.
There is also concern that recipients may release the malicious phishing emails from quarantine, thinking they were caught in filters by mistake. Due to this, they are disabling the ability for employees to release emails until the attack is resolved.
"Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it's easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine," IKEA communicated to employees.
While IKEA has not responded to our emails about the attack and has not disclosed to employees whether internal servers were compromised, it appears that they are suffering from a similar attack."
Last edited by a moderator:


Staff member
Malware Hunter
Jul 27, 2015
As of Tuesday morning, the company hadn’t seen any evidence of its customers’ data, or business partners’ data, having been compromised. “We continue to monitor to ensure that our internal defence mechanisms are sufficient,” the spokesperson said, adding that “Actions have been taken to prevent damages” and that “a full-scale investigation is ongoing.”

The spokesperson said that the company’s “highest priority” is that “IKEA customers, co-workers and business partners feel certain that their data is secured and handled correctly.” IKEA didn’t respond to Threatpost’s queries about whether the attack has been contained or if it’s still ongoing.