Threat actors are targeting IKEA employees in an internal phishing attack via malicious reply-chain email links.
As per the reports of bleeping computer, email reply-chain phishing begins by taking over a legitimate email account to send malicious emails to its contact lists. In turn, the malicious email further spreads, in this case, to the internal emails of IKEA.
"There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organizations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," explained an internal email sent to IKEA employees.
"This means that the attack can come via email from someone that you work with, from any external organization, and as a reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious."
The above message warns employees to remain vigilant and explains that fraudulent emails are difficult to detect because of internal mailboxes. The reply-chain emails contain links with seven digits at the end, and employees have been asked to watch out for such links and avoid clicking on them or even opening suspicious emails. Employees are also told to tell the sender of the emails via Microsoft Teams chat.
According to Trend Micro, attackers have recently started to exploit internal Microsoft Exchange servers via ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks. Once they secure access to a server, they use stolen internal reply-chain emails to evade detection.
Another concern is that recipients may release the malicious phishing emails from quarantine, thinking they were caught in filters by mistake. Due to this, they are disabling the ability for employees to release emails until the attack is resolved.
"Our email filters can identify some of the malicious emails and quarantine them. Due to that, the email could be a reply to an ongoing conversation, it's easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine," IKEA communicated to employees.