Forgotten Office 365 accounts targeted by stealthy attack campaign

'KnockKnock' attackers hope to fly under the radar by hacking rarely-used, high-privilege accounts.
Written by Danny Palmer, Senior Writer

Video: Why does Locky ransomware keep coming back from the dead?

Crooks are targeting admin and systems accounts -- often automated and ignored, not protected by two-factor authentication and secured with poor passwords -- to gain access to corporate Office 365 email accounts for phishing, data-theft, and more.

Dubbed KnockKnock because attackers are attempting to knock on backdoor system accounts to infiltrate Office 365 environments, the attacks have been ongoing since May and have targeted organisations in manufacturing, financial services, healthcare, consumer products, and the US public sector.

By targeting systems accounts which may not be actively used on a regular basis rather than those of individual users, the attackers hope to fly under the radar. These accounts are often Exchange Online accounts, which by Microsoft's own definition fall into the category of Office 365 accounts.

The attackers also attempt to lay low by only targeting a small number of accounts, which they attempt to breach three to five times in order to avoid detection by security software before moving on to attack another organisation.

Uncovered by researchers at Skyhigh Networks, the KnockKnock botnet is also relatively small, distributed by just 83 IP addresses across 63 networks.

The targeted administrative accounts are commonly used to integrate corporate email systems with marketing and sales automation software. What makes those appealing to attackers is the fact that these systems accounts tend to have higher access and privileges than an average account.

See also: What is phishing? How to protect yourself from scam emails and more

And given they're usually automated, it's much less likely they will feature two-factor authentication and can even be subject to poor passwords, given the account will likely need to be shared within the corporate environment. Ultimately, KnockKnock looks to exploit both of these factors in an effort to breach the target network.

Once KnockKnock gains access to an enterprise system account -- the attackers simply attempt to guess the password, which for these accounts, often isn't complex -- the attack is designed to exfiltrate any data in the inbox deemed to be of value.

It also creates a new inbox rule to hide and divert incoming messages. It will then use phishing attacks to propagate the infection around an infected enterprise using the now-hacked systems inbox.

Researchers say that the slow-moving and stealthy nature of the attack means it can go on for some time before being noticed.

KnockKnock is still ongoing, although the number of attacks has dropped since June and August. While researchers haven't been able to identify the threat actor behind the campaign -- the IP addresses of the hacked devices used to run it don't appear on any lists of known botnets or bad actor IP addresses -- they note that around 90 percent of login attempts come from China.

However, attackers could easily change or re-route IP addresses in order to cover their tracks, so it's impossible to say for certain that the attacks originated from China.

ZDNet contacted Microsoft for comment, but at the time of publication hadn't received a reply.


Researchers have named the attack technique 'KnockKnock' after how it knocks on the backdoor of systems.

Image: iStock

Previous and related coverage

This malware just got more powerful by adding the WannaCry trick to its arsenal

The Retefe banking trojan is now using the EternalBlue exploit that helped spread WannaCry to make attacks more effective.

IT leader's guide to reducing insider security threats [Tech Pro Research]

Insider threats can pose even greater risks to company data than those associated with external attacks.

New Trojan malware campaign sends users to fake banking site that looks just like the real thing

Trickbot is now redirecting to a counterfeit site that displays the correct URL and the digital certificate of its genuine equivalent.


Editorial standards