Office 365 users, especially corporate accounts, are currently being targeted by hackers as part of a global hacker attack campaign called KnockKnock. The criminals are targeting the Exchange online servers of major companies in different sectors worldwide.
The KnockKnock Attack Aims Against Office 365 Corporate Users
Computer security experts warn of a dangerous global attack campaign called KnockKnock that aims to intrude on corporate users of the Office 365 services. According to the reports the hackers are targeting both individual users and business accounts, primarily from some of the largest establishments in manufacturing, healthcare, financial services, consumer products and US public sector. At this moment the identity and origins of the malicious collective is not known.
The first KnockKnock hacker attacks have been reported as beginning in May 2017 and are still ongoing. The largest hacker activity peak has been measured between June and August. The criminals favor precision rather than volume, the statistics showcase that the average infection intrusions are five messages per target each day.
The ongoing attack uses automatically generated messages which are being sent in bulk to predefine targets. The researchers that are investigating the wave state that the majority of the target addresses are not tied to a specific human identity. Such cases include no-reply messages or service-controlled addresses. As a result the criminals rate the campaign as being unique by design.
The way the KnockKnock Office 365 attack is carried out is by targeting the administrative accounts that are commonly used to configure the the corporate email systems. The security audit reveals that the targets are usually related to marketing and sales automation software solutions. The associated accounts are not used by human operators and are controlled via automated messages. As a result in some corporate and government networks the security measures are set to a lower standard when such accounts are being used. Typical security measures include the use of timed password resets and multi-factor authentication (MFA).
Once the target Office 365 corporate emails have been compromised via the KnockKnock hacker attack, the criminals typically download the contents of the inboxes. Then they create a new rule that causes a follow-up phishing attack using social engineering tricks. Their goal is to propagate across the infected network using the intrusion.
The security researchers note that the login attempts to the Office 365 emails were all made from unusual locations. The activities used tactics that are not detected as generic behavioral patterns. As a result the hackers were able to optimize the intrusion attempts so that they cannot be easily captured by intrusion detection systems.