IKEA is suffering an email phishing attack using both internal and compromised partner reply-chain emails. In internal emails viewed by Bleeping computer, IKE warned employees of the ongoing attack and evidence suggests that the attack may be spreading the Emotet or Qbot trojans. IKEA email excerpts:

“There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA,”

“This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious.”

“Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine,” IKEA communicated to employees.”

Notify of
5 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Danny Lopez
Danny Lopez , CEO
InfoSec Expert
December 1, 2021 1:32 pm

<p dir=\"ltr\">The cyber attack on IKEA’s email systems is an unfortunate but important illustration of the role the human element plays in the world of cybersecurity. In this case, it appears that an external bad actor manipulated employees with a reply-chain email – legitimate emails from a company, sent from compromised email accounts and internal servers.</p>
<p dir=\"ltr\">The solution to preventing incidents like this is twofold: training and technology. Training plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices. But what if the links or attachments appear to be from someone you know and trust? The majority wouldn’t question it, especially if the message looks completely legitimate, as these IKEA emails did. </p>
<p dir=\"ltr\">This is a perfect example of why employees should not be your only line of defence against cyberattacks. Instead, organisations should take a proactive, zero-trust approach to cybersecurity and have the measures in place to prevent attacks from penetrating your systems. A simple, proactive solution like Content Disarm and Reconstruction (CDR) technology is so valuable because it helps to create a digital environment where a threat cannot exist. This means that users can trust every email attachment that enters or leaves an organisation, as these can also contain bad links and malicious content. It’s also far more efficient and cost-effective than relying solely on your employees.</p>

Last edited 1 year ago by Danny Lopez
Anurag Kahol
Anurag Kahol , CTO
InfoSec Expert
December 1, 2021 1:31 pm

<p dir=\"ltr\">The days of basic phishing schemes have more or less passed. Modern phishing attacks are very well targeted, can be difficult to detect, and rely on advanced forms of infiltration that better disguise malicious intent.</p>
<p dir=\"ltr\">Preventing today’s increasingly dynamic phishing attempts requires next-generation “on-device” web security that can block phishing sites and apply advanced threat protection across all the user’s devices, both managed and unmanaged. Ensuring safe browsing in a mobile-to-cloud environment requires comprehensive security controls with deep visibility, bringing together disparate security functions into a single-cloud delivered security platform, without agents, VPNs, and performance bottlenecks.</p>
<p dir=\"ltr\">With a vigorous cybersecurity posture, organisations can drastically decrease the chance of compromised IT and security systems. What\’s more, companies need to ensure adequate employee security training to identify phishing attempts and illegitimate emails.</p>

Last edited 1 year ago by Anurag Kahol
Tim Callan
Tim Callan , Chief Compliance Officer
InfoSec Expert
December 1, 2021 1:29 pm

<p dir=\"ltr\">The IKEA cyberattack illustrates that criminals are getting smarter and can still gain results from older, proven attack vectors. In case of a phishing attack, it is no longer enough to watch out for crudely worded emails – recipients must also consider context, content and sender, particularly if financial transactions are involved. There are all kinds of malware that can get into your system through downloads or straight hacking.  </p>
<p dir=\"ltr\">Those who want to proactively provide encryption for their own outbound email can employ standardized S/MIME certificates to do exactly that. Compatible with most popular email systems, S/MIME is built on more than twenty years of industry adoption. In addition to enabling encryption email content and attachments across the full transport path, S/MIME also makes it possible for receivers to confirm emails’ true senders, increasing their protection against a variety of spear phishing attacks.</p>

Last edited 1 year ago by Tim Callan
Garret F. Grajek
InfoSec Expert
December 1, 2021 1:28 pm

<p>Another example of the constant scanning and probing of our enterprises. Every vulnerability will be explored and exploited. The email and social hacks are loved by the hackers because they don\’t take an investment on research and development of zero-day hacks. The result is the same though – the hackers will attempt lateral movement, privilege escalation  and persistence in the enterprise. A rational and thorough quantification of identities and their usages are crucial to enterprise security. Constant vigilance on both user and admin accounts are required especially when an enterprise is securing customer, financial and health care data.</p>

Last edited 1 year ago by Garret F. Grajek
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
December 1, 2021 1:27 pm

<p>If you get an email from someone you know, or that seems to continue an ongoing conversation, you are probably inclined to treat is as legitimate. However, IKEA employees are finding out otherwise. They are being attacked by phishing emails that are often purportedly from known sources, and may be carrying the Emotet or Qbot trojans to further infect the system and network. For those emails that are being caught and quarantined, IKEA is not letting users release their own emails.</p>
<p>No business is safe from cyberattack. Whether it’s for the purpose of ransomware, business disruption, or simply for spite, even seemingly innocuous companies are facing harm. And this attack is particularly insidious, in that it seemingly continues a pattern of normal use. Enterprises have to continue educating their computer users, as well as using machine learning models and analytics to detect anything out of the ordinary.</p>

Last edited 1 year ago by Saryu Nayyar
Would love your thoughts, please comment.x