Fraudsters found a way during the recent holiday season to take advantage of users' "Out of office" messages to sneak messages into business inboxes.
That's the finding of researchers at Abnormal Security who say that in December 2020 they saw attempts to evade automatic detection by corporate email security systems when many users had their automatic "Out of office" message enabled in Microsoft 365.
According to researchers, the "Out of office" attack works like this:
A fraudster creates a typical business email compromise (BEC) email, designed to scam a company out of money.
However, rather than just sending the email as-is, the scammer manipulates the headers of the email (in this case the "Reply-to:" field) to point to another individual within the targeted organisation.
So, the email may be sent to one employee (let's call them John), but the "Reply-to" header contains another employee's email address (let's call them Tina).
John has his Out-of-office reply enabled, so when he receives the fraudulent email an automatic reply is generated. However, the Out-of-office reply is not sent back to the true sender, but to Tina instead - and includes the extortion text.
Because this email originates from John's account rather than someone external, it may not be stopped by systems the company has put in place to warn of (and perhaps even automatically block) emails from outside the organisation.
And many business users will automatically put more faith in an email which appears to originate from inside the organisation, rather than one which has been marked as coming from an external source.
According to the researchers at Abnormal Security, the same type of technique has been seen with emails that have taken advantage of "read receipt" notifications, as well as "Out-of-office" replies.
What we're not told ..
Support the originator by clicking the read the rest link below.
