Researchers uncovered KnockKnock, an attack on Office 365 Exchange Online email accounts, originating from 16 countries around the world and targeted organizations in manufacturing, financial services, healthcare, consumer products and US public sector. The attackers behind KnockKnock targeted automated corporate email accounts not tied to a human identity, which often lacked advanced security policies.
This campaign is based on a unique attack strategy of targeting administrative accounts commonly used to integrate corporate email systems with marketing and sales automation software. Since these accounts are not linked to a human identity and require automated use, they are less likely to have protection with security policies such as multi-factor authentication (MFA) and recurring password reset.
On gaining access to an enterprise Office 365 account, the KnockKnock campaign typically exfiltrates any data in the inbox, creates a new inbox rule and initiates a phishing attack from this controlled inbox in an attempt to propagate infection across the enterprise.
Scope of the attacks
The KnockKnock campaign began in May 2017 and is still ongoing, with the bulk of activity occurring between June and August. With a focus on precision targeting instead of high volume targeting, attacks averaged five email addresses for each customer.
Skyhigh Networks’ researchers detected these attacks when logins to Office 365 were from unusual locations and the activities defied standard behavioral patterns as analyzed by Skyhigh’s machine learning algorithms. This analysis offered a detailed map of the attacks:
- Hackers used 63 networks and 83 IP addresses to conduct their attacks.
- Roughly 90 percent of the login attempts came from China, with additional attempts originating from Russia, Brazil, U.S., Argentina and 11 other countries.
- Targets included Infrastructure and Internet of Things (IoT) vendors, as well as departments related to infrastructure and IoT in large enterprises, across industries such as manufacturing, financial services, healthcare, consumer products and the US public sector.
- Almost all of the accounts were confirmed to be ‘non-human’ system accounts.