KnockKnock – Sophisticated Campaign Targeting “Non-Human” Office 365 Exchange Online Service Email Accounts

Cloud security firm Skyhigh Networks recently detected a sophisticated hacking campaign, dubbed KnockKnock, targeting non-human Office 365 Exchange Online email accounts such as service accounts, automation accounts, machine accounts, marketing accounts, and accounts for internal tools. Once the hackers gain access to the targeted accounts, they exfiltrate data or use the accounts to launch phishing campaigns, either within the organization itself or externally to other targets. These service accounts, which are often unattended and used to integrate corporate email systems with automation software, typically lack oversight and security measures such as multi-factor authentication and mandatory password changes, making them attractive targets to Advanced Persistent Threats (APTs) and other malicious actors. According to Skyhigh Networks, the campaign began in May 2017, but the company saw an uptick in activity in July and August. They observed 83 different IP addresses conducting KnockKnock attacks with 90 percent of the detected login attempts originating from China. Other source locations include Russia, Brazil, the US, and Argentina. Targeted sectors include manufacturing, financial services, healthcare, consumer products, and the US public sector. The NJCCIC recommends Office 365 Exchange Online email administrators review the Skyhigh Networks report and implement a monitoring solution for all unattended, non-human service accounts within their organizations. Additional mitigation strategies include: creating lengthy, unique, and complex passwords; implementing multi-factor authentication, if applicable; applying the Principle of Least Privilege; implementing the “Client Rules Forwarding Blocks” security control to prevent auto-forwarding; enabling activity logging, creating activity alerts, and reviewing activity reports associated with those accounts.