TMCnet - World's Largest Communications and Technology Community



Skyhigh Reveals 'KnockKnock,' Widespread Attack on Vulnerable O365 Corporate Email Accounts
[October 05, 2017]

Skyhigh Reveals 'KnockKnock,' Widespread Attack on Vulnerable O365 Corporate Email Accounts

Skyhigh Networks, the world's leading Cloud Access Security Broker (CASB), announced today the detection of a previously unknown botnet 'KnockKnock.' This campaign is a sophisticated cyber attack on Office 365 Exchange Online email accounts, originating from 16 countries around the world and targeting more than half of large enterprises using O365. Further, the attackers behind KnockKnock targeted automated corporate email accounts not tied to a human identity, which often lacked advanced security policies.

Unlike the brute force campaign on corporate Office 365 accounts Skyhigh had previously reported, KnockKnock is a new campaign revealing a unique attack strategy of targeting accounts commonly used to integrate with corporate email systems like administrative accounts, marketing automation and sales automation software. Since these accounts are not linked to a human identity and require automated use, they are less likely to have protection from security policies such as multi-factor authentication (MFA (News - Alert)) and recurring password reset.

On gaining access to an enterprise O365 account, the KnockKnock campaign typically creates a new inbox rule, exfiltrates any data in the inbox, initiates a phishing attack and attempts to propagate infection across the enterprise using this controlled inbox.

"This campaign on O365 is particularly troubling due to its focus on system accounts essential for today's business automation that typically do not require MFA and traditionally have weak security oversight," said Sekhar Sarukkai, chief scientist, Skyhigh. "Attacks on these 'weakest link' accounts require a cloud-native security approach for complete visibility and mitigation."

Scope of the Attacks

The KnockKnock campaign began in May 2017 and is still ongoing, with the bulk of activity occuring between June and August. With a focus on precision targeting instead of a high volume of targets, attacks averaged five email addresses for each customer.

Skyhigh's threat protection engine detected these attacks when logins to O365 from unusual locations defied standard behavioral patterns analyzed by the Skyhigh CASB's machine learning algorithms. This analysisoffered a detailed map of the attacks:

  • Hackers used 63 networks and 83 IP addresses to conduct their attacks.
  • Roughly 90 percent of the login attempts came from China, with additional attempts originating from Russia, Brazil, U.S., Argentina and 11 other countries.
  • Targets included Infrastructure and Internet of Things (IoT) vendors, as well as departments related to infrastructure and IoT in large enterprises, across industries such as manufacturing, financial services, healthcare, consumer products and the US public sector.
  • Almost all of the accounts were confirmed to be 'non-human' system accounts.

Skyhigh's visibility into cloud traffic of over 30 million enterprise users worldwide allows the company to correlate global threats such as KnockKnock. Skyhigh has been working with its clients to educate, monitor and defend against the persistent KnockKnock attacks. Specifically, Skyhigh's machine learning and user-behavior analytics provides intelligent threat protection-generated anomalies and alerts; one of the core defense strategies helping enterprises identify, control and protect data in the cloud.

Additional Information

For more stories and to join the cloud security conversation, follow Skyhigh on The Cloud Security Blog, Facebook, LinkedIn, Youtube and Twitter.

About Skyhigh

Skyhigh Networks, the world's leading Cloud Access Security Broker (CASB), enables enterprises to safely adopt cloud services, while meeting their security, compliance and governance requirements. With more than 600 enterprise customers globally, Skyhigh provides organizations the visibility and management for all their cloud services, including enforcement of data loss prevention policies; detecting and preventing internal and external threats; encrypting data with customer-controlled keys; and implementing access-control policies. Headquartered in Campbell, Calif., Skyhigh Networks is backed by Greylock Partners, Sequoia Capital (News - Alert), Thomvest Ventures, Tenaya Capital and other strategic investors. For more information, visit

[ Back To's Homepage ]

Technology Marketing Corporation

35 Nutmeg Drive Suite 340, Trumbull, Connecticut 06611 USA
Ph: 800-243-6002, 203-852-6800
Fx: 203-866-3326

General comments:
Comments about this site:


© 2018 Technology Marketing Corporation. All rights reserved | Privacy Policy