I'm concerned about my coworkers' use of out-of-office (OOO) notifications, particularly during the holidays, and how they may be used to carry out targeted or phishing attacks against the company. Do you have any advice for lowering out-of-office message security risk? Is there a template for the information that should be provided in an out-of-office notification? Or are out-of-office notifications worth the risk?
Ask the Expert
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
An out-of-office message ensures that clients and colleagues know that their email or voice message isn't being ignored and/or provides an alternative point of contact that can address their query or problem. However, the amount of detail that some OOO notifications contain, such as the day or time of return, reason for absence, email signature, and alternative contact details, is a goldmine of useful information for hackers and criminals. This information can be leveraged in social engineering and targeted attacks. Also, an email out-of-office reply provides proof that a particular address is genuine, which signals that it can be harvested for verified email spam lists; it can cause problems with backscatter too.
Users should certainly limit the information that they include in OOO notifications. Location, duration and reason for absence, job title, contact information and detailed alternative contact information are all unnecessary. Information detailing physical absence should never be given; thieves and hackers can launch a break-in or attack, knowing an individual will not be around. Vague wording, such as "currently unable to reply" or "unavailable at the moment," instills uncertainty in potential attackers and are more than adequate to serve their intended purpose. Instead of offering a specific individual to contact, the message could instead say to contact "my department." In terms of voicemail, users should say something equivocal, such as "I am unable to take your call. Call our main switchboard if you need further help." Alternatively, incoming email and voice messages can simply be forwarded to a colleague, provided that he or she is fully briefed on the colleague's absence so that they do not give out sensitive information.
Network administrators can configure their email server software in various ways to make OOO messages more secure. They can block certain users from setting OOO messages, disable notifications to external domains or limit them solely to people in the user's address book. Better still, one notification message can be set for people within an organization and another for those outside it; OOO messages sent to external email addresses should never have a signature attached. High-value personnel should never reveal their comings and goings and have all inquiries directed through a well-trained, security-aware secretary.
Users should be made aware of the risk of information leakage in OOO notifications, as well as in social media profiles where employees often post their whereabouts. Personal data that could assist in a targeted attack, such as important location and diary events, should never be posted online. While OOO notifications are useful for clients and colleagues not being left wondering what's happened to their inquiry, they should be kept brief to limit the security risk. The less said, the better.
This was first published in April 2013