BEC Scammers Take Advantage of “Out-of-Office” Microsoft 365 Users

Fraudsters found a way during the recent holiday season to take advantage of users’ “Out of office” messages to sneak messages into business inboxes.

That’s the finding of researchers at Abnormal Security who say that in December 2020 they saw attempts to evade automatic detection by corporate email security systems when many users had their automatic “Out of office” message enabled in Microsoft 365.

According to researchers, the “Out of office” attack works like this:

A fraudster creates a typical business email compromise (BEC) email, designed to scam a company out of money.

However, rather than just sending the email as-is, the scammer manipulates the headers of the email (in this case the “Reply-to:” field) to point to another individual within the targeted organisation.

So, the email may be sent to one employee (let’s call them John), but the “Reply-to” header contains another employee’s email address (let’s call them Tina).

John has his Out-of-office reply enabled, so when he receives the fraudulent email an automatic reply is generated. However, the Out-of-office reply is not sent back to the true sender, but to Tina instead – and includes the extortion text.

Because this email originates from John’s account rather than someone external, it may not be stopped by systems the company has put in place to warn of (and perhaps even automatically block) emails from outside the organisation.

And many business users will automatically put more faith in an email which appears to originate from inside the organisation, rather than one which has been marked as coming from an external source.

According to the researchers at Abnormal Security, the same type of technique has been seen with emails that have taken advantage of “read receipt” notifications, as well as “Out-of-office” replies.

What we’re not told is how successful this technique might have been at tricking businesses which have been targeted in this fashion, or how many instances the researchers have seen of the attack in the wild.

Although the number of instances may be comparatively small, and the risks of a savvy employee being duped by it less than huge, it’s still an indication that scammers are always looking for novel new methods to get their fraudulent messages in front of the eyeballs of employees.

Be on your guard, and read emails carefully to determine if they are likely to have really been sent by a colleague, or are a fiendish attempt to pull the wool over your eyes.