We’ve all gotten messages like this. In the summer, Out of Office (OOO) automatic responses are standard operating procedure for vacation-goers. But it’s a day at the beach for bad actors, too. For them, all these OOO messages chum the water for their less-known but highly dangerous Out of Office and Read Receipt phishing attacks. Read on to learn about the danger and how to stay safe this summer, and beyond.
Through the OOO email above, the attacker can extract three important pieces of information that assist in attack planning and execution:
Many think the OOO message is harmless, appropriate, and in line with corporate policy. Well, the last point is likely true. But considering its associated risk, the widespread acceptance of OOO messages takes them to a whole different level of security exposure. If you haven’t already, now is a good time to revisit corporate policy on OOO and read receipt automatic responses with your information security team.
Unfortunately, no.The attacker can manipulate the “Reply to” field of the malicious email and redirect it to, for example, your colleague. In our example that would mean that Jane Hox will receive a real OOO message from Matt, which also includes the malicious message. The attempt is not quite a BEC message, but a brilliant and simple imitation.How can you protect yourself from these Out of Office and Read Receipt phishing attacks during the summer vacation period, and beyond? Here is Hoxhunt’s take on a more secure OOO message:
How is the above more-secure message different from the first message?
The key to Hoxhunt’s more secure OOO message is COMMUNICATION. If your absence has been properly communicated to the relevant parties (vendor partners, colleagues, bosses, etc.) beforehand then there is no point to put redundant information in the OOO message.Of course, if your job function demands heavy communication with external parties, then the risk/reward benefit of an OOO message may shift to necessity. But it’s still important to give as little information as possible that a bad actor can use as ammunition for a phishing attack.
I promised to talk about Out of Office and Read Receipt phishing attacks, so now it's time to discuss the Read Receipt side of the automatic response-enabled-coin. Both of these attacks leverage Microsoft's automatic response function, but the Read Receipt scam is an unusual-but-brilliant spoof of a spoof, leveraging business email compromise thinking. It's like a weaker fish that mimics a greater predator to get what it wants from the sea.
Above is a basic visualisation of a Read Receipt phishing attack:
Here is an example of what it can look like (cue the horror music):
In business email compromise, bad actors posing as executives urge underlings over email to make a dubious payment or fetch valuable info. Favored by bad actors with technical skill, but beyond the reach of many without, business email compromise drives many of today’s high-profile, big-money cybersecurity breaches. This long-favored tactic of cybercriminals is not in splashy headlines right now as much as ransomware, but some experts still rank BEC higher in terms of financial cybersecurity risk (this f-secure webinar with global security expert, Mikko Hypponen offers outstanding insights on the topic ; as does this FBI page). The only limitation for ransomware and BEC is that stealing users' credentials and sneaking around unnoticed in companies' internal systems is the work of more advanced and patient attackers.The Read Receipt phishing scam is unique in that it spoofs a spoof; it piggybacks a BEC scam scenario but in a way that’s easier for less-technical attackers to pull off.And oh, are they ready to make hay while the sun shines. Bad actors are out phishing en force as offices empty and employees activate their OOO-Summer Vacation automatic response messages.
In Outlook, in addition to an automatic reply, in “Settings” you can block your calendar, cancel existing meetings and send auto replies strictly to your organization alone, which is a safer way to go. See how below, or check out the MS support page.
1. At the top of the page, select Settings > View all Outlook settings > Mail > Automatic replies.
2. Select the Turn on automatic replies toggle.
3. Select the Send replies only during a time period check box, and then enter a start and end time.If you don't set a time period, your automatic reply remains on until you turn it off by selecting the Automatic replies on toggle.
4. This is the important part for internal communications: Select the check box for any of the following options that you're interested in:
5. In the box at the bottom of the window, type a message to send to people during the time you're away.
6. Here you can select the check box for Send replies outside your organization. However, we recommend you having the conversation with your superiors as to whether risk outweighs the benefit of notifying external parties that you’re OOO
7. When you're done, select Save at the top of the window.
The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.