Out-of-Office messages are commonplace in today's work environments. Writing an Out-of-Office message is often the last thing users do before going on holiday and so it signals the end of work for a while! It's also often used in busy times to just let the email sender know not to expect a reply straight away, maybe due to meetings.
These Out-of-Office replies will often include key information like how long the employee will be away and who to contact in their absence. Whilst useful to colleagues and customers alike, we are also seeing this information used against businesses in ransomware attacks and phishing campaigns...
Many company websites list their staff along with details of what they do and their contact information. This provides a threat actor with details of the organisation’s structure, which makes it easy to target individuals with spoofed phishing emails that will be likely to prompt a click from the recipient.
Even if this information isn't on the company website, it is often easily gained from other sources such as LinkedIn, along with details of other people who work there. If the target is active on LinkedIn, then additional information can also be gained from their posts, in order to flesh out an attack.
Once a threat actor has employee information like name, position and co-workers, maybe interests, then getting email addresses is fairly straightforward. Even if they aren’t listed publicly, there are sites such as Apollo that list known email patterns for companies and often the actual email for some staff.
Finding out when staff members are away is often pretty straightforward. As a starting point, seasonal holidays such as Christmas, and Easter are at known times, but also July and August are a good bet for many people, particularly if some background research on the target has shown the threat actor that they have children. Looking at the target's social media accounts can also help identify when they are away.
Now the threat actor will send some seemingly innocuous generic enquiries. These will often come from legitimate-looking sources, maybe disposable Gmail accounts, maybe email addresses similar to those of colleagues, but ultimately the name of the game is for them to get their email delivered without triggering any spam protection.
At the end of this phase, the threat actor will have a list of working email addresses and a list of potential higher-value targets - the ones with Out-of-Office auto-replies!
The threat actor has now collected all of the information that they need, so they begin their attack. This can be done using a few different methods depending on the information that they have gathered.
A common tactic is to leverage the fact that the victim will likely come back to a vast amount of unread emails and possibly be wanting to action some quick wins. Asking for something simple such as an invoice to be paid or bank details to be updated might just get done without performing the usual checks, particularly if the email contains seemingly inside information such as saying "hope you had a nice time off" which helps to make it seem legitimate.
Where the Out-of-Office message contains details of who to contact in the recipient's absence, then this can be used to spoof an email, making it appear to be internal.
This can take the form of sending an email purporting to be from a user who is off to their colleague, perhaps saying that they can't access their work email while away from the office and asking them to review a document such as a client proposal. This is in fact a file infected with malware which is used to compromise their computer and give a foothold inside the network.
The bottom line is that your Out-of-Office auto response email is probably creating a vulnerability by giving out extra information which can be used against your business. There are lots of malicious ways that threat actors can use the information that your users are putting in their Out-of-Office messages, which often doesn't need to be there in the first place!
Here are some ideas to help keep your business safe:
- Keep your Out-of-Office messages to the needed information only. You don't need to say why you are not available or the length of time that you will be away. This way you don't highlight that someone might be returning from a two-week holiday and likely have a large backlog of emails.
- Instead of naming individual colleagues when providing alternative contact details, use shared generic mailboxes such as sales@ or help@ so that you don't disclose details of internal organisation structure and contact information.
- Train staff! There is no hiding it, people are the weak point and the more skilled they are in detecting threats like this, the less likely they are to fall victim.
If you want to talk about keeping your business secure why not give us a call or look at our free cyber security guide
To keep up to date with all our hints and tips simply sign up below!