Significant Hacking Trend
Over this 2025/26 Christmas and New Year period, our Kinetics KARE security monitoring has detected a significant increase in sophisticated authentication attacks targeting New Zealand businesses.
KARE Foundation clients are protected and experiencing minimal impact. However organisations with ad-hoc or legacy cybersecurity are likely to be experiencing account lockouts and may be compromised.
What We’re Observing
Attackers are attempting to authenticate using SMTP mail protocol, masquerading as ‘Microsoft Online’ services. The activity appears to originate from Seoul, South Korea, routed through multiple international nodes. The timing is deliberate, targeting the holiday period when businesses operate with reduced IT oversight.
Observed Attack Vector (for the technically minded)
Password spray / credential stuffing against legacy SMTP using ROPC
An actor is programmatically attempting to authenticate to Exchange Online via SMTP AUTH using ROPC (username + password), which bypasses modern interactive prompts and MFA. Conditional Access (CA) policy that blocks legacy auth/ROPC stopped token issuance, producing error 53003. The BAV2ROPC agent and “Authenticated SMTP” designation strongly indicate non‑interactive, legacy protocol abuse rather than a legitimate modern login.
Who’s Protected, Who’s Vulnerable
KARE Foundation Clients: Protected
Your multi-layered security is working as designed. Conditional access policies are blocking suspicious attempts. Multi-factor authentication will prevent unauthorised access, and our team is monitoring patterns 24/7. You may notice slightly increased security alerts. This is your protection working correctly.
Ad-Hoc or Legacy Security: Vulnerable
Without systematic security, you’re likely to experience increased account lockouts, with the resulting productivity disruption from password resets, o worse if there are potential account compromises. Compromised email accounts provide attackers access to business communications, financial information, and customer data.
Immediate Actions
If You’re on KARE Foundation:
Continue normal operations. Report any unusual authentication challenges to our helpdesk. Stay vigilant for phishing attempts that may accompany these attacks.
If You Have Ad-Hoc Security:
- Enable multi-factor authentication on all business email accounts immediately
- Review account lockout logs to identify targeted accounts
- Alert staff about increased authentication attempts
- Assess your security posture as this campaign reveals gaps that leave you vulnerable
Getting Protected
KARE Foundation can be implemented within a few business days, providing systematic security that blocks these attacks. Our complimentary Security Assessment identifies specific vulnerabilities and recommends proportionate improvements.
Contact Us Immediately
If you’re experiencing account lockouts or suspicious authentication attempts:
Phone: 0800 546 384
Email: support@kinetics.co.nz
This attack campaign will eventually subside, but the threat environment continues to intensify. The question isn’t whether you’ll invest in protection—it’s whether you’ll do so proactively or pay far more in incident response costs and business disruption.