{"id":15803,"date":"2025-12-29T14:13:52","date_gmt":"2025-12-29T01:13:52","guid":{"rendered":"https:\/\/kinetics.co.nz\/?p=15803"},"modified":"2025-12-29T14:13:52","modified_gmt":"2025-12-29T01:13:52","slug":"urgent-advisory-were-seeing-a-significant-increase-in-authentication-attacks-this-christmas","status":"publish","type":"post","link":"https:\/\/new.kinetics.co.nz\/?p=15803","title":{"rendered":"URGENT ADVISORY: We’re seeing a significant increase in authentication attacks this Christmas"},"content":{"rendered":"\n[et_pb_section fb_built=”1″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_2″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” min_height=”104.2px” hover_enabled=”0″ global_colors_info=”{}” theme_builder_area=”post_content” sticky_enabled=”0″]

Significant Hacking Trend\u00a0<\/h2>\n

Over this 2025\/26 Christmas and New Year period, our Kinetics KARE security monitoring has detected a significant increase in sophisticated authentication attacks targeting New Zealand businesses.<\/p>\n

KARE Foundation clients are protected and experiencing minimal impact. However organisations with ad-hoc or legacy cybersecurity are likely\u00a0 to be experiencing account lockouts and may be compromised.<\/p>[\/et_pb_text][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]

What We’re Observing<\/h2>\n

Attackers are attempting to authenticate using SMTP mail protocol, masquerading as ‘Microsoft Online’ services. The activity appears to originate from Seoul, South Korea, routed through multiple international nodes. The timing is deliberate, targeting the holiday period when businesses operate with reduced IT oversight.<\/p>[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” background_color=”rgba(34,34,34,0.07)” custom_padding=”10px|10px|10px|10px|false|false” border_radii=”on|10px|10px|10px|10px” border_width_all=”2px” box_shadow_style=”preset1″ global_colors_info=”{}” theme_builder_area=”post_content”]

Observed Attack Vector (for the technically minded)<\/h3>\n

Password spray \/ credential stuffing against legacy SMTP using ROPC<\/strong>
An actor is programmatically attempting to authenticate to Exchange Online via SMTP AUTH<\/strong> using ROPC<\/strong> (username + password), which bypasses modern interactive prompts and MFA<\/strong>. Conditional Access (CA) policy that blocks legacy auth\/ROPC stopped token issuance, producing error 53003<\/strong>. The BAV2ROPC<\/code> agent and \u201cAuthenticated SMTP\u201d designation strongly indicate non\u2011interactive, legacy protocol abuse<\/strong> rather than a legitimate modern login.<\/span><\/p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]

Who’s Protected, Who’s Vulnerable<\/h2>\n

KARE Foundation Clients: Protected<\/h3>\n

Your multi-layered security is working as designed. Conditional access policies are blocking suspicious attempts.\u00a0 Multi-factor authentication will prevent unauthorised access, and our team is monitoring patterns 24\/7. You may notice slightly increased security alerts.\u00a0 This is your protection working correctly.<\/p>\n

Ad-Hoc or Legacy Security: Vulnerable<\/h3>\n

Without systematic security, you’re likely to experience increased account lockouts, with the resulting productivity disruption from password resets, o worse if there are potential account compromises. Compromised email accounts provide attackers access to business communications, financial information, and customer data.<\/p>\n

Immediate Actions\u00a0<\/h2>\n

If You’re on KARE Foundation:<\/h3>\n

Continue normal operations. Report any unusual authentication challenges to our helpdesk. Stay vigilant for phishing attempts that may accompany these attacks.<\/p>\n

If You Have Ad-Hoc Security:<\/h3>\n
    \n
  • Enable multi-factor authentication<\/strong> on all business email accounts immediately<\/li>\n
  • Review account lockout logs<\/strong> to identify targeted accounts<\/li>\n
  • Alert staff<\/strong> about increased authentication attempts<\/li>\n
  • Assess your security posture <\/strong>as this campaign reveals gaps that leave you vulnerable<\/li>\n<\/ul>\n

    Getting Protected<\/h2>\n

    KARE Foundation can be implemented within a few business days, providing systematic security that blocks these attacks. Our complimentary Security Assessment identifies specific vulnerabilities and recommends proportionate improvements.<\/p>\n

    Contact Us Immediately<\/h2>\n

    If you’re experiencing account lockouts or suspicious authentication attempts:<\/p>\n

    Phone: <\/strong>0800 546 384<\/p>\n

    Email: <\/strong>support@kinetics.co.nz<\/p>\n

     <\/p>\n

    This attack campaign will eventually subside, but the threat environment continues to intensify. The question isn’t whether you’ll invest in protection\u2014it’s whether you’ll do so proactively or pay far more in incident response costs and business disruption.<\/p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]\n","protected":false},"excerpt":{"rendered":"

    Significant Hacking Trend\u00a0 Over this 2025\/26 Christmas and New Year period, our Kinetics KARE security monitoring has detected a significant increase in sophisticated authentication attacks targeting New Zealand businesses. KARE Foundation clients are protected and experiencing minimal impact. However organisations with ad-hoc or legacy cybersecurity are likely\u00a0 to be experiencing account lockouts and may be […]<\/p>\n","protected":false},"author":5,"featured_media":15810,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4,5],"tags":[],"class_list":["post-15803","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-security"],"_links":{"self":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts\/15803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15803"}],"version-history":[{"count":0,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts\/15803\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/"}],"wp:attachment":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}