It has been reported that Ikea are currently experiencing a large internal phishing attack due to stolen reply chains. The company sent out a warning to its employees regarding the issues it was having, and advised people to read up on how to spot a phishing email. The problem with this, is that it came from internal email addresses so was more likely to be opened by employees due to trusting the sender’s email address.

As a temporary measure Ikea have disabled the option for employees to release spam from quarantine. It is also reported that more than just Ikea have been affected by this issue with some of their suppliers also involved in the attack.

Below is an example of one the phishing emails that was sent out to employees…

IKEA phishing email

The attacks on these companies have apparently been orchestrated by the group Squirrelwaffle who are a threat actor known for sending malicious spam as replies to existing email chains. An investigation into three incidents have found that attackers used exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34472 and CVE-2021-34523 (ProxyShell).

Below is also an example of what an attack like this looks like…

IKEA phishing attack

Attacks like these can lead to serious damage on a companies network and it can cost thousands or even millions in downtime and repairs. This is often how a lot of ransomware attacks can start and is a stark reminder of the importance of staff being trained on how to spot a phishing email. Also educating staff in reporting anything suspicious, so attacks like these can be stopped.

Published by Curtis Holt

Recent Posts