Multinational furniture maker Ikea announced it is investigating a cyber incident which took place on its Microsoft Exchange server. Malicious emails were sent around the company appearing to be a genuine “reply all” to an email chain, according to documents shared with BleepingComputer.
No customer data was compromised as result of the incident. Other Ikea businesses, partner and suppliers are said to be affected, according to BleepingComputer.
Email hijacking is a social engineering-led attack common among threat actors. The recent SquirrelWaffle malspam campaign utilized this technique where actors exploited an unpatched vulnerability in a Microsoft Exchange server to distribute a Qakbot malware payload.
An Ikea spokesperson told ITPro:
“Actions have been taken to prevent damages and a full-scale investigation is ongoing to seal and solve the issue. We take the matter very seriously as safeguarding personal data is a primary concern for Ikea. It is of our highest priority that Ikea customers, co-workers and business partners feel certain that their data is secured and handled correctly,” they added. “To ensure this, we use security technology to encrypt all personal information, including card numbers, addresses, and other information.”
Ikea has since told staff to be extra vigilant when monitoring their emails. The company is warning of emails that contain links with seven numbers at the end of them. The links lead to a download of a malicious Excel document, where victims are prompted to click “enable edit,” which then leads to the malicious payload.
Employees who come across these emails are being asked to report them instantly to the IT Team via Microsoft Teams so the sender’s address can be identified and blocked immediately.
Ikea says its email filters are seeing some degree of success in catching the phishing emails but couldn’t take the risk that a staffer wouldn’t mistakenly release the email from quarantine given the trusted source, according to ITPro.