Cyber Incident Victim: IKEA
Date:
Nov 2021
Location:
Sweden
Summary
IKEA faced a significant cyberattack involving reply-chain phishing targeting internal mailboxes, with threat actors leveraging compromised email accounts and internal servers to distribute malicious links within legitimate-seeming email threads. The attack, originating from compromised IKEA organizations and external partners, aimed to deploy Qbot and potentially Emotet malware, escalating risks of further network compromise and ransomware deployment. Employees were instructed to avoid opening suspicious emails—identified by seven-digit links—and report them immediately, while the company disabled email quarantine release functions to prevent accidental exposure due to the emails' deceptive appearance in ongoing conversations. The incident underscored heightened concerns over trusted communication channels being exploited for malware distribution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late November 2021, IKEA faced an ongoing cyberattack targeting its internal email systems through sophisticated reply-chain phishing campaigns. Threat actors compromised legitimate email threads from IKEA employees, business partners, and suppliers, then injected malicious links into reply messages. These emails originated from both compromised IKEA organizations and external entities, leveraging stolen correspondence to appear authentic. Attackers distributed documents containing malware via links ending in seven-digit sequences, exploiting the inherent trust in ongoing email conversations. IKEA’s IT teams alerted employees to the threat, instructing them not to interact with suspicious emails regardless of the apparent sender and to immediately report such messages. Employees were also directed to contact the purported senders via Microsoft Teams to verify legitimacy and escalate incidents. The attack’s design made detection challenging, as malicious emails mimicked routine internal or partner communications and often originated from compromised but legitimate servers.
The attackers exploited ProxyShell and ProxyLogon vulnerabilities in Microsoft Exchange servers to gain initial access, enabling them to hijack internal email infrastructure for further phishing distribution. This breach facilitated the deployment of Qbot (QakBot) and potentially Emotet trojans, malware strains known for enabling lateral movement, data theft, and ransomware propagation. In response, IKEA disabled employee access to email quarantine release functions to prevent accidental restoration of malicious messages flagged by filters, acknowledging that recipients might mistakenly perceive blocked reply-chain emails as false positives. The company classified the incident as severe due to the risk of widespread network compromise and secondary attacks, particularly ransomware. No data theft or operational disruptions were explicitly confirmed in the available reporting, but the compromise of Exchange servers and the malware’s capabilities indicated significant escalation potential. IKEA’s containment strategy emphasized heightened employee vigilance, centralized incident reporting, and temporary restrictions on email management controls while mitigation efforts continued.