We’ve all gotten messages like this. In the summer, Out of Office (OOO) automatic responses are standard operating procedure for vacation-goers. But it’s a day at the beach for bad actors, too. For them, all these OOO messages chum the water for their less-known but highly dangerous Out of Office and Read Receipt phishing attacks. Read on to learn about the danger and how to stay safe this summer, and beyond.
Through the OOO email above, the attacker can extract three important pieces of information that assist in attack planning and execution:
- First, by knowing how long you will be gone on vacation, the attacker can craft and schedule phishing messages that make recipients think, “It has to be true because who else would know this stuff, right?”
- Second, the person gives the attacker two contact options (Jane Hox and Jake Hunt) who are expecting to get messages meant for you and will thus be more trusting of an imposter scam email. Moreover, it gives the attacker a better view into who your closest company contacts are, for better tailoring of messages.
- Third, the person even gives away the contacts’ email addresses, which makes it just too easy for the attacker.
Out of Office and Read Receipt phishing attacks are worth reevaluating for company policy
Many think the OOO message is harmless, appropriate, and in line with corporate policy. Well, the last point is likely true. But considering its associated risk, the widespread acceptance of OOO messages takes them to a whole different level of security exposure. If you haven’t already, now is a good time to revisit corporate policy on OOO and read receipt automatic responses with your information security team.
How does the Microsoft OOO automatic reply work? It just sends an automatic reply to the person sending the email, right?
The attacker can manipulate the “Reply to” field of the malicious email and redirect it to, for example, your colleague. In our example that would mean that Jane Hox will receive a real OOO message from Matt, which also includes the malicious message. The attempt is not quite a BEC message, but a brilliant and simple imitation.
How can you protect yourself from these Out of Office and Read Receipt phishing attacks during the summer vacation period, and beyond? Here is Hoxhunt’s take on a more secure OOO message:
How is the above more-secure message different from the first message?
- Matt is not mentioning why he is gone or when. The only people who know this information are his team members and other relevant people.
- By excluding names and contact information, Matt ensures he will not give the attacker any information that he/she might use against us.
- Matt invites the sender to call, but he gives no phone number. Why?
- He doesn’t want anyone to bother him on vacation, for one thing.
- The important people who know he is away most likely have his phone number.
The key to Hoxhunt’s more secure OOO message is COMMUNICATION. If your absence has been properly communicated to the relevant parties (vendor partners, colleagues, bosses, etc.) beforehand then there is no point to put redundant information in the OOO message.
Of course, if your job function demands heavy communication with external parties, then the risk/reward benefit of an OOO message may shift to necessity. But it’s still important to give as little information as possible that a bad actor can use as ammunition for a phishing attack.
How Read Receipt phishing attacks leverage the BEC scam playbook
I promised to talk about Out of Office and Read Receipt phishing attacks, so now it’s time to discuss the Read Receipt side of the automatic response-enabled-coin. Both of these attacks leverage Microsoft’s automatic response function, but the Read Receipt scam is an unusual-but-brilliant spoof of a spoof, leveraging business email compromise thinking. It’s like a weaker fish that mimics a greater predator to get what it wants from the sea.
Above is a basic visualisation of a Read Receipt phishing attack:
- The attacker prepares the message and manipulates the so called “Disposition-Notification-to” field, which means that the attacker changes who gets the digital receipt of the opened email.
- The spoofed BEC email gets by all filters since it’s a legitimate Microsoft automatic message and lands in front of the target.
- The message gets opened and triggers the “Read-receipt” notification to the intended person.
- And just like that the attacker has spoofed a BEC that looks like it is coming from your colleague’s email address.
Here is an example of what it can look like (cue the horror music):
Just when you thought it was safe to go back in the water this summer: Enter the Out of Office (OOO) and Read Receipt phishing attacks
In business email compromise, bad actors posing as executives urge underlings over email to make a dubious payment or fetch valuable info. Favored by bad actors with technical skill, but beyond the reach of many without, business email compromise drives many of today’s high-profile, big-money cybersecurity breaches. This long-favored tactic of cybercriminals is not in splashy headlines right now as much as ransomware, but some experts still rank BEC higher in terms of financial cybersecurity risk (this f-secure webinar with global security expert, Mikko Hypponen offers outstanding insights on the topic ; as does this FBI page). The only limitation for ransomware and BEC is that stealing users’ credentials and sneaking around unnoticed in companies’ internal systems is the work of more advanced and patient attackers.
The Read Receipt phishing scam is unique in that it spoofs a spoof; it piggybacks a BEC scam scenario but in a way that’s easier for less-technical attackers to pull off.
And oh, are they ready to make hay while the sun shines. Bad actors are out phishing en force as offices empty and employees activate their OOO-Summer Vacation automatic response messages.
How to safely notify colleagues you’ll be OOO via Outlook
In Outlook, in addition to an automatic reply, in “Settings” you can block your calendar, cancel existing meetings and send auto replies strictly to your organization alone, which is a safer way to go. See how below, or check out the MS support page.
- At the top of the page, select Settings > View all Outlook settings > Mail > Automatic replies.
- Select the Turn on automatic replies toggle.
- Select the Send replies only during a time period check box, and then enter a start and end time.If you don’t set a time period, your automatic reply remains on until you turn it off by selecting the Automatic replies on toggle.
- This is the important part for internal communications: Select the check box for any of the following options that you’re interested in:
- Block my calendar for this period
- Automatically decline new invitations for events that occur during this period
- Decline and cancel my meetings during this period
- In the box at the bottom of the window, type a message to send to people during the time you’re away.
- Here you can select the check box for Send replies outside your organization. However, we recommend you having the conversation with your superiors as to whether risk outweighs the benefit of notifying external parties that you’re OOO.
- When you’re done, select Save at the top of the window.
Have a great summer vacation and stay sharp out there!
The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.