Security researchers from Skyhigh networks have discovered a clever new botnet attack against Office 365 accounts, called ‘KnockKnock’ because attackers are trying to knock on backdoor system accounts to infiltrate the whole O365 environments.
KnockKnock has been going on since May 2017, it was created to essentially attack system accounts that are not assigned to any one individual user, making them particularly vulnerable.
According to Skyhigh researchers:
“First, it should be noted that KnockKnock is not a brute force attack for two reasons. First, it targets a very small proportion (typically <2%) of the O365 account base. Second, it is devoid of any bursts in hacking activity, and averages only 3-5 attempts per account in order to try and fly under the radar of traditional defenses.”
The attackers tried to guess the passwords for these accounts because these accounts do not use two-factor authentication (2FA) and have higher access and privileges than regular employee accounts.
Accounts such as service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (used to automate data and system backups), machine accounts (used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.)
According to Skyhigh, the best way to fight against KnockKnock is to enable 2FA for accounts, and to use powerful and unique passwords for both employee and system email accounts.
