At this point, please pick up an interesting, which I read a few days ago, in which he addresses the topic of the out-of-office message as a security risk.
The topic itself is not new and was included in the catalogue of measures by the BSI years ago. Nevertheless, it makes sense to look at the case again and raise awareness among all users, especially in your own company.
Out of Office Reminder – Light and Shadow
The function of the absence notice in the email application such as Outlook appears to be a useful function to inform other people inside and outside the company about your absence. This is to avoid the other person waiting for an answer, possibly calling without success or being informed.
But there is also a danger here. If the out-of-office message is sent to every sender (or rather, “broadcast”), useful information may be revealed to spammers or attackers. The information obtained can then z. B. be misused for social engineering attacks.
What information is disclosed, and what impact can it have?
We have already seen many texts and constellations of absence notices, whether from internal colleagues or external contacts. Often people will not be directly aware of the information content they are revealing to a potential attacker.
What possible solutions are conceivable?
At first glance, the out-of-office notice appears to be a tried and tested means of good organization. At a second glance, the function harbours numerous security risks.
For this reason, you should heed the following points in your company (but also privately) and sensitize your users again and again:
The out-of-office notice should be sent to the smallest possible group of recipients.
Rarely does an incoming email require an immediate response? In theory, many emails can also be answered days later. And the most important colleagues should know about the absence anyway and should not be surprised if no direct answer follows.
Firstly, Outlook offers a practical way of distinguishing between internal and external senders. One possibility would be to set the out-of-office agent exclusively Within my organization. External transmitters then receive no message at all.
If this is not possible, Outlook offers the possibility to restrict sending to only my contacts Outside my organization. In my opinion, that should be the maximum threshold that can still be accepted. Under no circumstances should the out-of-office notice go to all broadcasters
Stick to the “Principle of least privilege.”
No matter what level you choose, as suggested under 1.), the absence message should contain as little information as possible. i.e. not reveal any information about how long you will be absent or where you are. Also, no internal data such as names of colleagues, extensions or email addresses should be passed on.
Ask yourself what an attacker could do with the data.
Work with mailbox authorizations or forwarding during longer absences.
If emails also have to be processed during shorter absences (e.g. sales, purchasing), a possible solution could also be not to activate any absence notifications. Instead, a direct representative is named who can cover the area of responsibility of the absentee. The representative then answers all (important) emails to customers, department heads, etc., on his behalf.
Two bonus tips in general – especially for IT admins and apart from the security risk especially for IT admins
Vacation is a vacation.
There is certainly a contradiction in this sentence; especially we IT admins often try to answer emails and help our dear users even when we are on vacation. Here I can only agree with the suggestion never to reply directly to emails outside your team. An email and another and another often follow the answer.
Suppose you receive an urgent email, for example, from a department head or managing director. In that case, the email should be forwarded to the representative in your team with a request for processing. The colleague will probably only be concerned that his problem is solved. And you don’t have to spend hours typing emails during your vacation – in the worst case, even on your smartphone.
When you’re on vacation, nothing works? Have your colleagues create a list of tasks that could not be completed during your absence. As Bob Plankers writes in his blog post, this is a great opportunity for team cross-training or to revise the documentation.
As with the tiresome topic of fake invoices, as an IT administrator or IT manager, you have to sensitize users again and again to the security risk of out-of-office messages. In many cases, the colleagues are not aware of the risks.
You cannot appreciate the consequences of sharing such information through social engineering techniques. Some will not even have heard the term social engineering. As is well known, all technical refinements and hurdles are of little use if the human risk factor remains the weakest link in the chain.