Ikea suffers a global cyberattack and they warn their employees to open emails even from coworkers


Ikea is dealing with a global cyber attack on its internal systems. The Swedish chain of stores has warned all its employees that the attack can come from an email sent by anyone they work with, any external organization or they can even be part of a conversation already started.

In BleepingComputer they have made a copy of the internal emails that the company has sent to its employees, warning of the cyberattack that uses phishing techniques to try to infect internal company servers with malware.

A critical threat that could lead to a ransomware infection

Ikea is treating the security incident as a very important one that could lead to a much more serious attack. Employees have been warned that there is an ongoing cyber attack targeting Inter Ikea mailboxes.

But also, other Ikea organizations, vendors and business partners have been compromised by the same attack and are spreading malicious emails to people from Inter Ikea.

The IT team has instructed workers that malicious emails can contain links with seven digits at the end and they have shared an example screenshot:

Ikea Internal Email Phishing

Example of a phishing email sent to Ikea employees – Via BleepingComputer

They have asked employees not to open the emails, regardless of who sent them, and to report them immediately to the IT department. They have also been asked to notify the sender of emails through Microsoft Teams chat to report them.

What's the difference: malware, viruses, worms, spyware, Trojans, ransomware, etc.

These types of attacks that take advantage of phishing campaigns that manage to hijack the responses to internal email chains, are being used to hack Microsoft Exchange servers through the ProxyShell and ProxyLogon exploits. Campaigns of this type have been detected by installing Trojans such as Qbot or even the famous Emotet malware.

Both Qbot and Emotet can severely compromise a company’s internal network and culminate in the deployment of a ransomware attack.

These types of attacks are especially effective on people, precisely because they filter into conversations via email already initiated with trusted senders, but also they are excellent for not setting off any alarm in the email protection systems used in the company.

As a protection measure against this, Ikea has disabled the possibility that users can remove emails from “quarantine” when the protection filters of their systems detect them as malicious. Basically because employees could do it by mistake, believing that the system has detected them as a false positive, precisely because they are emails from a trusted conversation already started long before this attack was detected.


Please enter your comment!
Please enter your name here