In many enterprises today, guarding against data breaches and targeted attacks is one of the top concerns of IT administrators. One of the things that administrators guard against is reconnaissance and targeting of any potential high-value personnel who may fall victim to a targeted attack. A less obvious source of information leakage, however, is the humble out-of-office notification.
Consider what the typical content of an out-of-office notification is. It will have a brief explanation of why the respondent is out of the office, who the sender can alternately contact instead, and an estimate of when they will return to the office. It may also include the user’s email signature, if he has one.
Individually, this may not be a great deal of information. However, it is easy for would-be attackers to gather multiple out-of-office notifications. Based on our research into spear-phishing (the findings of which will be released in an upcoming paper), the e-mail addresses of about half of all spear-phishing recipients can be found online using Google. In many cases, corporate e-mail addresses follow a predictable firstname.lastname@example.org format as well; this makes many addresses “known” so long as an employee’s name is known.
The approaching holidays gives would-be attackers a great opportunity to carry out this attack. In the United States, many workers will be on a long vacation over the Thanksgiving holiday. Later in the year, the Christmas/New Year period will see a similar opportunity – on an even larger scale.
So, what can users and IT administrators do? Fortunately, e-mail server software has had the capability for several years now to properly control out-of-office notifications. For example, users can set one notification message to appear to people within an organization, while setting another for those outside it. Administrators can impose more sophisticated controls. Some users may not be allowed to send out-of-office notifications to external domains at all; rules can also be set adding specific domains to a blacklist/whitelist, depending on what level of security is desired.
Users may also want to consider limiting the information that they include in notifications: for example, instead of saying who to contact, the message may say instead to notify “my manager” or “my subordinates”. (The sender would presumably know who these people are.) Users may also opt not to use the feature at all, instead sending an email manually saying they’re out of the office to likely correspondents.
All in all, out of office notifications represent a valuable target for reconnaissance by determined attackers, but is a threat that can be secured within reason by users and administrators. What is needed is awareness that this threat even exists – which, hopefully, is something this entry has achieved.