Mitigating Out-of-Office Autoresponder Risks

Mitigating Out-of-Office Autoresponder Risks

Did you know your automatic out-of-office reply could be exposing our company to serious cybersecurity risks?

Examine the following auto-reply message:

“Hello, I will be traveling internationally and of the office until January 12th. For urgent matters, please contact [coworker’s name, phone number and e-mail].”

While this message sounds harmless, helpful, and convenient, you may be giving cybercriminals exactly what they need to launch an attack.

Scammers and hackers now have the contact info and information to create a sense of urgency increasing the likelihood of a successful phishing attack on coworkers using social engineering techniques.

They know who to impersonate and who to target. For instance, they might pretend to be your assistant or coworker and send a fake invoice to accounting marked as urgent. Or they may send a text message to a coworker pretending to be you needing assistance gaining access to systems or paying an urgent invoice.

In addition to exposing yourself and the company to social engineering phishing attacks, hackers also gain valuable insight adding them in:
  1. Gaining a known attack window
  2. Email address validation
  3. Accessing sensitive company data
  4. Identity theft
  5. Enriching databases used by other cybercriminals

Recommendations and Policies to Mitigate Risks

Omnus Law recommends to not use out-of-office autoresponders if possible.

If you feel an out-of-office autoresponder is necessary, please follow the policies below:
  1. Make sure to set both the start and end date on your Auto Reply message(s).
  2. Keep autoresponder message extremely vague giving a little detail as possible. Use a message similar to the following, “Thank you for your email. I’m currently unavailable and will respond as soon as possible upon my return.”
  3. If more detail is needed for internal use, consider setting separate and distinct Auto Reply messages for internal and external replies. (See the section below on Setting Separate Internal and External Auto Replies.)

Setting Separate Internal and External Auto Replies

Our Microsoft email platform allows you to set different auto-reply messages for internal (Inside My Organization) or external (Outside My Organization) individuals. The system can identify the email address of the sender and reply with one of two messages depending on if the sender has an Omnus email account.

You can use either the web-based Microsoft Outlook or the native Outlook app on your computer to set Internal and External Auto Replies:
  1. Click on the gear icon or go to settings then search for "Automatic Replies" (alternatively once in settings, click on Account then Automatic Replies).
  2. Enable automatic replies: Select the Send automatic replies checkbox, or toggle the "Automatic Replies On" switch to the on position.
  3. Set a time range: Check the box to Only send replies during this time period and set your start and end dates and times.
  4. Write your internal message: Go to the Inside My Organization tab and type the message you want to send to colleagues within your company.
  5. Write your external message: Go to the Outside My Organization tab and type the message you want to send to those outside your organization.
  6. Configure external recipients: Ensure the box that says Send replies outside my organization is checked for this message to be sent to external senders. You can also choose whether to send replies to everyone outside the organization or only to your contacts.
  7. Save your changes: Click Save or OK to save your settings.

asdf


Questions? Contact Omnus IT Support Staff for assistance:
IT Help Desk Hotline: +1 (737) 313-3923