Out of office

Out of Office (OOO) replies have become a common courtesy in today’s workplace. They are used when an employee goes on vacation or is out for any other reason. An auto-reply lets customers and colleagues know not to expect an immediate response. The auto-reply will include information like how long the employee will be away and who to contact in their absence. 

Unfortunately, the information in OOO messages can be used by hackers to launch Business Email Compromise (BEC) scams, ransomware attacks and phishing campaigns. 

Here’s how they’re able to do it.

Step #1: Threat Actors Spend Time Researching You

Many companies list staff on their websites with bios and contact information. This provides a threat actor with the organization’s structure, which makes it possible to phish individuals with spoofed emails that will be likely to prompt a click from the recipient. 

Even without “About Us” or “Meet the Team” pages, LinkedIn profiles will often let threat actors work out who works at a company and provide a few personal details to add an extra level of personalization to a phishing email.

Once a hacker has what amounts to an employee directory, getting email addresses is fairly straightforward. Even if they aren’t listed publicly, there are sites such as Hunter.io that list known email patterns for companies. 

Step #2: Threat Actors Test the Waters

Employees often go on vacation during mid-to-late Summer and between Thanksgiving and New Year’s. During these periods, your organization may see an increase in OOO phishing emails. 

Having registered multiple email addresses via free services, threat actors send specific and generic inquiry emails to the email addresses they have researched. A specific email might come from what appears to be a colleague’s personal email account. There may also be a message from a valid Gmail address stating “Hi – I’d like to know more about your services.” The threat actor is trying to get the user to click without triggering spam filters.

The threat actor creates a list of OOO auto-replies and gleans any useful information from those auto-replies, which is why if you’re going to use OOO notifications, they should contain as little detail as possible. 

Step #3: The Threat Actor Attacks

With an email directory and their target’s schedules in hand, there are many ways to compromise an organization. Here are a few possibilities:

If an OOO message states specifically that an employee was out on vacation and would be back on a certain date, a message could read: 

“Hi [name],

I hope your vacation was great! While you were out, we noticed an irregularity with payroll.

Can you please update the following document with your payment information?

[name of payroll manager]”

The returning employee generally returns to a large backlog of emails, which means they will be moving faster than usual, as the threat actor is all too aware. The attached file could contain hidden ransomware or malware, or it could redirect the employee to a website designed to collect sensitive personal information. A spoofed email address that includes even a small amount of personal information means that is unlikely to raise suspicion. 

OOO notifications can also be used by a threat actor to target the absentee’s colleagues. Additionally, OOO messages that say who to email for urgent matters create further insecurity:

“Hi [colleague name],

Before I left, I forgot to follow up with this client. I’m not able to access my work email right now, so can you please take a look at [link or email attachment] and follow up with them? 

Sorry for the inconvenience,

[name of OOO employee]”

Whether the link or attachment compromises that employee, or s/he is tricked into sharing sensitive information, a lot of damage can be done by a threat actor who is focused.

The bottom line is that OOO notifications create needless vulnerability. The variations are infinite, but the M.O. remains the same; OOO messages can provide useful information to create more convincing phishing emails and to gain insight on a company’s organizational structure and their target’s state of mind.  

Here’s how to protect yourself and your company while OOO:

  • Keep your message vague: Don’t provide the reason for your absence, or the length of time you’ll be out. Someone returning from a three-week vacation likely has a larger number of emails waiting for them and is more likely to respond to an email marked “URGENT,” someone returning from a family emergency may be distracted. The detail adds credibility to a phishing email.
  • Refer incoming emails to a gatekeeper account: Provide a general point of contact such as info@example.com or your company’s main phone number to handle incoming inquiries. That way, messages can be routed internally without needing to let anyone know exactly who is reading them.
  • Invest in security training:  Whether they’re on a dream vacation or working throughout the holidays, it’s critical to ensure that any employee knows the telltale signs of phishing emails and best practices to keep everyone at an organization safe.