Office 365 joke: KnockKnock, Who's there? Botnet malware
Office 365 joke: KnockKnock, Who's there? Botnet malware

Microsoft's already battered Office 365 is once again being targeted, this time by KnockKnock, a botnet attack designed to specifically victimize the office productivity software suite.

This time around the malicious actors are using a botnet, nicknamed KnockKnock, that goes after Office 365 systems accounts, instead of just the users who had previously been targeted, said Sekhar Sarukkai, a co-founder and the chief scientist at Skyhigh Networks. Systems accounts are prized as they generally have elevated privileges giving the criminals access to a wide variety of inside information and system accounts are not always as well protected.

“Not only do these accounts have higher privileges, but they may not always work well with step-up authentication systems like Single-Sign-On (SSO) or other multi-factor authentication, and they can suffer from lax password policies. This gives attackers the perfect vector to infiltrate into an organization's Office 365 environment,” Sarukkai said.

This means systems accounts need to be treated like any other corporate account and should be equipped with the proper security and needs to be monitored.

The attack takes advantage of poorly protected accounts by using its botnet to ping a single account four or five times to try and guess the password. If the password is not discovered it moves on to another account, by doing so it keeps a low profile. Another tactic used to stay under the radar is to only hit one organization at a time. Sarukkai noted that as one attack ramps up another dissipates.

Once an account has been hacked the malware obtains data from its email inbox, creating a new rule that hides and diverts incoming messages and it then launches an organization-wide phishing attack to spread the malware across the network.

Sarukkai gave one example of how dangerous a successful KnockKnock could be to a company.

“If a hacker gains entry into an Office 365's Exchange Online system account that's used as the username for Salesforce.com, which is in turn used as a Marketo Sync User to integrate Salesforce.com to the organization's marketing automation cloud, then an entry into the Exchange Online system account could also give the hacker access to the entire CRM and marketing automation systems of the organization, putting the enterprise's most valuable data at risk of unauthorized exposure or loss,” he said.

The first KnockKnock attacks happened in May 2017 and are continuing.

“The attacks originate from a small networks of 89 confirmed IPs distributed across 83 networks,” he said, adding most of the IPs are registered in China, but some are from the U.S., Russia, Brazil and Argentina.