Ikea launches "full-scale investigation" into email-based cyber attack

Early evidence seems to indicate a compromise of Microsoft Exchange servers in a reply chain attack campaign

Global furniture giant Ikea confirmed it is wrestling with a cyber attack on its systems with evidence indicating its Microsoft Exchange servers may be compromised.

Ikea confirmed to IT Pro that a "full-scale investigation" into the incident is underway and that there is no indication that customer data has been compromised. 

Other Ikea organisations, suppliers, and business partners are all said to be affected by the attack, an internal email sent to employees reads.

The email, seen by Bleeping Computer, informs staff that malicious emails are being circulated around the business and are appearing as a genuine reply to existing email chain.

Email chain hijacking is one of the unique identifiers of the recent SquirrelWaffle malspam campaign that exploits an unpatched vulnerability in Microsoft Exchange servers to distribute the Qakbot malware payload.

Emails can seemingly come from trusted colleagues or outside companies a staff member has previously collaborated with, increasing the likelihood the attempt of a social engineering-led cyber attack succeeds.

"We are aware of the situation regarding the phishing attack against parts of the Ikea organisation," an Ikea spokesperson told IT Pro. "Actions have been taken to prevent damages and a full-scale investigation is ongoing to seal and solve the issue. We take the matter very seriously as safeguarding personal data is a primary concern for Ikea. 

"It is of our highest priority that Ikea customers, co-workers and business partners feel certain that their data is secured and handled correctly," they added. "To ensure this, we use security technology to encrypt all personal information, including card numbers, addresses, and other information.

"We have no indication that customer data has been compromised."

Ikea is encouraging staff to remain extra vigilant when monitoring their inboxes for phishing emails, specifically for emails that contain links that have seven numbers at the end.

These links are believed to be associated with the attacker's campaign and lead to the download of a malicious Microsoft Excel document. As is typical with the SquirrelWaffle attack strategy, the document encourages victims to click 'enable editing' and 'enable content' buttons within the document which then leads to the download of the malicious payload.

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

Ikea is also reportedly telling staff to report suspicious emails immediately to its IT team and inform it of the sender's email address over Microsoft Teams instant chat.

The degree to which Ikea staff have been compromised, or how successful the attack has been, is not yet known. 

The company has disabled all employees' ability to release suspected phishing emails from quarantine due to how convincing the hijacked email chain method of attack can be.

Ikea reportedly said its email filters are seeing some degree of success in catching the phishing emails, but couldn't take the risk that a staffer wouldn't mistakenly release the email from quarantine given the trusted source.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022