EMAIL - Out of office notification risks
Trend Labs shares an informative article related to Out of office notification risks
QUOTE: Many enterprises today, guarding against data breaches and targeted attacks is one of the top concerns of IT administrators. One of the things that administrators guard against is reconnaissance and targeting of any potential high-value personnel who may fall victim to a targeted attack. A less obvious source of information leakage, however, is the humble out-of-office notification. Consider what the typical content of an out-of-office notification is. It will have a brief explanation of why the respondent is out of the office, who the sender can alternately contact instead, and an estimate of when they will return to the office. It may also include the user’s email signature, if he has one.
Individually, this may not be a great deal of information. However, it is easy for would-be attackers to gather multiple out-of-office notifications. Based on our research into spear-phishing, the e-mail addresses of about half of all spear-phishing recipients can be found online using Google. In many cases, corporate e-mail addresses follow a predictable format as well; this makes many addresses “known” so long as an employee’s name is known.
So, what can users and IT administrators do? Fortunately, e-mail server software has had the capability for several years now to properly control out-of-office notifications. For example, users can set one notification message to appear to people within an organization, while setting another for those outside it. Users may also want to consider limiting the information that they include in notifications: for example, instead of saying who to contact, the message may say instead to notify “my manager” or “my subordinates”. All in all, out of office notifications represent a valuable target for reconnaissance by determined attackers, but is a threat that can be secured within reason by users and administrators. What is needed is awareness that this threat even exists – which, hopefully, is something this entry has achieved.