In many enterprises today, guarding against data breaches and targeted attacks is one of the top concerns of IT administrators. One of the things that administrators guard against is reconnaissance and targeting of any potential high-value personnel who may fall victim to a targeted attack. A less obvious source of information leakage, however, is the humble out-of-office notification.
Consider what the typical content of an out-of-office notification is. It will have a brief explanation of why the respondent is out of the office, who the sender can alternately contact instead, and an estimate of when they will return to the office. It may also include the user’s email signature, if he has one.
Individually, this may not be a great deal of information. However, it is easy for would-be attackers to gather multiple out-of-office notifications. Based on our research into spear-phishing (the findings of which will be released in an upcoming paper), the e-mail addresses of about half of all spear-phishing recipients can be found online using Google. In many cases, corporate e-mail addresses follow a predictable firstname.lastname@example.org format as well; this makes many addresses “known” so long as an employee’s name is known.
The approaching holidays gives would-be attackers a great opportunity to carry out this attack. In the United States, many workers will be on a long vacation over the Thanksgiving holiday. Later in the year, the Christmas/New Year period will see a similar opportunity – on an even larger scale.