CORRECTING and REPLACING Skyhigh Uncovers ‘KnockKnock,’ a Widespread Attack on Office 365 Corporate Email Accounts

Attacks targeted global accounts with high-privileged access to information Skyhigh Networks

CAMPBELL, Calif.--()--Please replace the release with the following corrected version due to multiple revisions.

The corrected release reads:


Attacks targeted global accounts with high-privileged access to information

Skyhigh Networks, the world’s leading Cloud Access Security Broker (CASB), announced today the detection of a previously unknown botnet ‘KnockKnock.’ This campaign is a sophisticated cyber attack on Office 365 Exchange Online email accounts, originating from 16 countries around the world and targeted organizations in manufacturing, financial services, healthcare, consumer products and US public sector. The attackers behind KnockKnock targeted automated corporate email accounts not tied to a human identity, which often lacked advanced security policies.

Unlike the brute force campaign on corporate Office 365 accounts Skyhigh had previously reported, KnockKnock is a new campaign based on a unique attack strategy of targeting administrative accounts commonly used to integrate corporate email systems with marketing and sales automation software. Since these accounts are not linked to a human identity and require automated use, they are less likely to have protection with security policies such as multi-factor authentication (MFA) and recurring password reset.

On gaining access to an enterprise Office 365 account, the KnockKnock campaign typically exfiltrates any data in the inbox, creates a new inbox rule, and initiates a phishing attack from this controlled inbox in an attempt to propagate infection across the enterprise.

“This campaign on Office 365 is particularly troubling due to its focus on system accounts that are essential for today’s business automation, that typically do not require MFA and that traditionally have weak security oversight,” said Sekhar Sarukkai, Chief Scientist, Skyhigh Networks. “Detection and protection from attacks on these ‘weakest link’ accounts require a cloud-native security approach for complete visibility and mitigation.”

Scope of the Attacks

The KnockKnock campaign began in May 2017 and is still ongoing, with the bulk of activity occurring between June and August. With a focus on precision targeting instead of high volume targeting, attacks averaged five email addresses for each customer.

Skyhigh CASB’s Threat Protection engine detected these attacks when logins to Office 365 were from unusual locations and the activities defied standard behavioral patterns as analyzed by Skyhigh’s machine learning algorithms. This analysis offered a detailed map of the attacks:

  • Hackers used 63 networks and 83 IP addresses to conduct their attacks.
  • Roughly 90 percent of the login attempts came from China, with additional attempts originating from Russia, Brazil, U.S., Argentina and 11 other countries.
  • Targets included Infrastructure and Internet of Things (IoT) vendors, as well as departments related to infrastructure and IoT in large enterprises, across industries such as manufacturing, financial services, healthcare, consumer products and the US public sector.
  • Almost all of the accounts were confirmed to be ‘non-human’ system accounts.

Skyhigh’s visibility into cloud traffic of over 30 million enterprise users worldwide allows the company to correlate global threats such as KnockKnock. Skyhigh has been working with its customers to detect and protect against the persistent KnockKnock attacks.

Additional Information

For more stories and to join the cloud security conversation, follow Skyhigh on The Cloud Security Blog, Facebook, LinkedIn, YouTube and Twitter.

About Skyhigh

Skyhigh Networks, the world’s leading Cloud Access Security Broker (CASB), enables enterprises to safely adopt cloud services, while meeting their security, compliance and governance requirements. With more than 600 enterprise customers globally, Skyhigh provides organizations the visibility and management for all their cloud services, including enforcement of data loss prevention policies; detecting and preventing internal and external threats; encrypting data with customer-controlled keys; and implementing access-control policies. Headquartered in Campbell, Calif., Skyhigh Networks is backed by Greylock Partners, Sequoia Capital, Thomvest Ventures, Tenaya Capital and other strategic investors. For more information, visit


Skyhigh Networks
Jason Stolarczyk, +1 650-475-6875


Skyhigh Networks
Jason Stolarczyk, +1 650-475-6875