Gone Phishing! The dangers of using Out of Office Auto Reply

Gone Phishing! The dangers of using Out of Office Auto Reply

Most of us will be familiar with Outlook's Out of Office auto reply feature. It's a convenient way to inform co-workers and other contacts about our absence, ensuring business continues as usual while we are away. However, auto replies can also be a major security risk.

They can potentially reveal a lot about us, and seemingly innocuous snippets of information can be a goldmine for cybercriminals engaging in phishing and social engineering.

What information can be revealed?

The mere presence of an auto reply message reveals much. For example, cyber criminals and spam bots send out messages from huge databases of email addresses, looking for a response. These databases tend to contain large numbers of defunct or inactive addresses. So, when an auto reply is received, this alerts the sender that an address is active, immediately making it a more viable target.

The auto reply can also reveal whether an email address belongs to an individual or is shared; and, if a signature is included, phone numbers and physical addresses too.

We often include additional information within our auto replies, such as the duration of our absence and whether we are on holiday or a business trip. And we may include alternative contact details, sometimes revealing information on work projects and internal team structures.

All this information can be used to craft highly targeted and plausible spear phishing campaigns.

What can you do to avoid the risk of attack?

  • Where possible, only enable internal auto replies (Inside My Organization). By doing so, your mailbox will not be providing information in response to any spam or phishing messages that arrive in your inbox.
  • If you do need to enable external auto replies, create a separate message, and include as little information as you can.
  • If you are in communication with a few key external contacts or vendors, it is safer to warn them of your absence directly and ahead of time.
  • Avoid naming colleagues and providing their job titles and contact details. It is safer to include an appropriate shared mailbox if available.
  • Do not include any details of your activities or whereabouts and avoid including the duration of your absence where possible.
  • Do not include your usual email footer in your auto replies.

Find out more

You’ll find more information about protecting your personal devices in Toolkit’s Information Security resource.


Author: Information Security Team, DDIS