4 min read

BEC Scammers Take Advantage of "Out-of-Office" Microsoft 365 Users

Graham Cluley

January 29, 2021

BEC Scammers Take Advantage of "Out-of-Office" Microsoft 365 Users

Fraudsters found a way during the recent holiday season to take advantage of users' "Out of office" messages to sneak messages into business inboxes.

That's the finding of researchers at Abnormal Security who say that in December 2020 they saw attempts to evade automatic detection by corporate email security systems when many users had their automatic "Out of office" message enabled in Microsoft 365.

According to researchers, the "Out of office" attack works like this: 

A fraudster creates a typical business email compromise (BEC) email, designed to scam a company out of money.

 However, rather than just sending the email as-is, the scammer manipulates the headers of the email (in this case the "Reply-to:" field) to point to another individual within the targeted organisation.

 So, the email may be sent to one employee (let's call them John), but the "Reply-to" header contains another employee's email address (let's call them Tina).

 John has his Out-of-office reply enabled, so when he receives the fraudulent email an automatic reply is generated. However, the Out-of-office reply is not sent back to the true sender, but to Tina instead - and includes the extortion text.

Because this email originates from John's account rather than someone external, it may not be stopped by systems the company has put in place to warn of (and perhaps even automatically block) emails from outside the organisation.

And many business users will automatically put more faith in an email which appears to originate from inside the organisation, rather than one which has been marked as coming from an external source.

According to the researchers at Abnormal Security, the same type of technique has been seen with emails that have taken advantage of "read receipt" notifications, as well as "Out-of-office" replies.

What we're not told is how successful this technique might have been at tricking businesses which have been targeted in this fashion, or how many instances the researchers have seen of the attack in the wild.

Although the number of instances may be comparatively small, and the risks of a savvy employee being duped by it less than huge, it's still an indication that scammers are always looking for novel new methods to get their fraudulent messages in front of the eyeballs of employees.

Be on your guard, and read emails carefully to determine if they are likely to have really been sent by a colleague, or are a fiendish attempt to pull the wool over your eyes.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like