Tips for Writing Safe but Still Helpful OOO Email Messages.
The spirit of the out-of-office autoresponder has never been about email security. Instead, it has traditionally been about providing helpful contact information in the event that a coworker or a customer in need of assistance emails you while you’re away.
But it’s 2021, and for years attackers have been growing more sophisticated and finding narrower and more surreptitious ways of gaining access to corporate networks.
Email phishing is one of those ways. It’s a highly common attack vector that relies largely on an individual within a company clicking on a bad link or unwittingly providing personal information to a malicious entity.
However, to gain network access through phishing, attackers can also take advantage of employees who aren’t even using their email.
The Out-of-Office Endpoint Vulnerability
Let’s look at the most common out-of-office email archetype.
It is typically automatically sent to anyone, inside or outside of the organization, who emails the employee.
It might read something like this:
I am out of the office from X-date to X-date at the XYZ event in X-location.
I will be returning on X-date. If you are in need of immediate assistance while I am away, you may contact the following individuals:
Coworker first & last name, position, office phone and/or cell phone number, email address
Supervisor first & last name, position, office phone and/or cell phone number, email address
If necessary, you may reach me on my cell phone at X-number.
Employee first & last name, position, office phone and/or cell phone number
Now, let’s break down some of the most glaring issues with this out-of-office email.
First, and most importantly, it includes a lot of information. If an attacker received this email autoresponder, they would know:
- The employee’s full name
- Where the employee is and what they are doing there
- How long the employee will be gone
- The employee’s contact information (including their personal cell phone number)
- The full names of two colleagues, one of which is identified as the supervisor, which reveals a chain of command
How can an attacker use this information to their advantage? There are many ways, and here are a few big ones:
- Legitimizing an Email Address: An out-of-office response validates that the email address exists and is working. This legitimacy is great for scammers, but attackers can also use the email address to help recreate email addresses for other office employees; for example, if the out-of-office email is for email@example.com, an attacker will assume an employee named Joe would be firstname.lastname@example.org.
- Gaining a known attack window: In knowing how long the employee will be gone, the attacker now has a verified time period during which they can exploit the out-of-office situation. This information can also be abused for physical security attacks, where someone with malicious intent could leverage the fact that a particular employee is out of the office.
- Accessing sensitive company data: An attacker can use the employee’s full name and location to gain unauthorized access to company data and information. An attacker could also launch a social engineering attack, sending an email pretending to be the out-of-office employee (or the supervisor) and using details about the trip to validate a request for certain information.
- Identity theft: With an employee’s name, company, position, and cell phone number, as well as their supervisor’s name and contact information, an attacker can more easily steal the employee’s identity. The attacker could also access additional information about the employee; for example, impersonating the supervisor to request personal data from HR.
- Enhancing the attacker’s knowledge base – All of the information provided via the autoreply, such as cell phone numbers of the employee and their supervisor, can be added to a knowledge base and used for further information gathering and follow-up attacks.
Strengthen Your Email Security with These Out-of-Office Email Tips
The next time you’re heading out of the office for a few days, consider these tips when crafting your out-of-office message and you’ll be helping to strengthen the overall security of your organization.
Separate Internal Autoresponders from External:
Remember how we mentioned that out-of-office auto-replies are often sent to everyone whether they are inside or outside of the organization?
If you don’t need an out-of-office auto-reply to go to any external clients or customers, make sure to change your email settings so your autoresponder only goes to internal senders. That way, your email address can’t be pinged as active by a scammer.
Keep External Auto Replies Short and Sweet:
If you do need an auto-responder for external entities, include as little detail as possible. It should read something like this example:
I am currently unavailable, but am periodically reviewing my emails. There may be a delay in my response time but I appreciate your message and will get back to you as soon as possible.
Notice there is no mention of the out-of-office duration, or any specifics about the location.
Remove Corporate Information:
For any out-of-office emails, it is best not to include a backup contact within your organization. If you must, provide only one, and don’t provide additional information, such as their title, that gives insight into the chain of command or specific roles within your company.
Remove Additional Personal Details:
We also recommend that you do not include additional personal contact information, such as your cell phone number. Many email signatures do include these details, so make sure you’re checking your signature as well.
Do You Even Need an Out-of-Office Email Auto-Reply?
In today’s connected world where our phones give us round-the-clock access to our email, an out-of-office auto-reply may not be as important for some.
We’re not suggesting that vacations be burdened by checking emails. But if you do not need an auto-responder while you’re away because you can quickly address or forward important emails, you can avoid the email security risk altogether and skip the out-of-office autoresponder.
You can also use other methods of alerting coworkers to your absence. If your company is small, simply letting them know in a single email prior to your departure, or blocking off your calendar, might be sufficient.
However, we know in many cases an out-of-office auto-reply is the easiest and most effective way to alert coworkers and clients that you are away, and an out-of-office email helps relieve you of responsibility while you’re trying to enjoy a vacation.
For your next out-of-office email, keep in mind that less information is better; anytime you’re not able to closely monitor your email can pose a threat to the security of your organization.
If you would like some help protecting your company against phishing attacks, and educating employees on email security awareness, contact us today.