Posted April 16, 2015
By Robert McDaniel
As the guy who sends out the marketing emails at Cyveillance (yes, I’m THAT guy) I see a lot of Out of Office reply auto-responders in any given month.
Having worked in cybersecurity for more than seven years, I’ve developed an appreciation for both information and physical security. With the RSA Conference coming up in a few days, and awaiting my barrage of Out of Office emails, I think now is the perfect time to discuss this seemingly innocuous topic.
Why? Amazingly, even in the security world, I’ve noticed how there is often some disconnect with security and the Out-of-Office reply.
The following is a perfect example of what I am talking about:
Most people on the receiving end wouldn’t give this reply a second look, but from a security perspective, this could be a threat actor’s dream. At first glance, this reply seems benign and doesn’t seem to give any information of value, but looking at this from a threat actor’s perspective I not only have a new contact to potentially go after with a spearphishing campaign, I may also be able to gather enough information to gain trust within your organization and perhaps even identify where you are.
Based on the dates and the person’s position, I would be able to guess they are probably going to RSA 2015. If I want to confirm this, I have enough information to reach out to someone within the organization to verify it, and possibly get more information about their whereabouts. This seemingly innocent response has just opened the person up to physical security threats, as well as potential organizational information security threats. In fact, in my experience, many people include much more detail than this in their autoresponders.
How can you ensure you or your colleagues don’t give out unnecessary information?
First, disclosing detailed travel plans through out-of-office replies can pose a physical security risk – particularly to high-level executives or public figures – by giving activists, stalkers, or criminals the necessary information to pursue their respective goals.
Although an autoreply from a corporate email account may seem innocent – and in most cases, it is – establishing a link between the target’s personal email and their corporate email potentially places public or corporate figures’ at risk. When combined with information about the target’s plans, the implication becomes clear: the sender of the email now knows the recipient’s whereabouts, giving them the opportunity to exploit their privacy and safety.
Second, too much information, or TMI, can pose a threat from social engineering tactics used by phishing campaigns. Experts at Trend Micro describe how cybercriminals can collect out-of-office notifications in order to subscribe the senders to spammer’s email lists without their consent, and then use these lists for phishing campaigns.
Conversely, spear phishers may exploit out-of-office replies to assess weaknesses in the target’s security posture by gathering intelligence from contact information provided in autoresponders, such as phone number, job title, supervisor’s name, email address, and even personal mobile number.
When creating out-of-office messages, try to limit notifications to recipients within the organization only, and for a specific amount of time. If external contacts require notifications, then whitelist trusted sources and limit how much information you share.
Most importantly, as you compose your autoresponder message, ask yourself, “is this TMI”? Andy O’Donnell, a network security expert at About.com, offers the following maxim: “If you wouldn’t tell a room full of strangers the information, you shouldn’t put it in your out-office-reply.”