Going On Holiday? Cybercriminals Aim To Exploit Out-Of-Office-Replies - Image by Walkerssk from PixabayThe Egress Threat Intelligence team has detected an 83.6% increase in scouting phishing emails between May 1st – June 30, 2023, compared with March 1st – April 30th, 2023. These emails aim to identify organizations and individuals’ personal time off (PTO) patterns or other absences from work through the automatic out-of-office responses they receive. The scouting attacks were sent from multiple spoofed email addresses from servers located in Russia and Japan.

In the second step of this campaign, the cybercriminals applied the intelligence they had gathered about absences to send phishing emails impersonating absentees. These impersonation attacks originated from the same servers as the scouting emails.

Quick Attack Summary

  • Vector and type: Email phishing
  • Techniques: Scouting attacks, impersonation attacks
  • Payloads: Phishing links and payloadless attacks for business email compromise (BEC)
  • Targets: Organizations in the USA and UK
  • Platform: Microsoft 365
  • Bypassed Secure Email Gateway (SEG) and native security: Yes

What Do Scouting Emails Look Like?

On their own, the scouting emails don’t appear particularly sophisticated. Each email contained a hyperlink, and while our analysts observed that a unique link was used in every scouting email, they were all composed of the same pattern of pseudo-random characters and numbers, with no more than six digits in each. The links were all hosted on ‘app.link’.

(c) Egress - Going-On-Holiday-image-1These attacks were sent from a compromised, legitimate domain, enabling them to bypass both Microsoft 365 and SEG detection to enter recipients’ inboxes. While they appear simplistic and will possibly be identified as a phishing email by the recipient, they have achieved their primary aim of triggering an out-of-office reply.

Analysis by our Threat Intelligence team revealed the hyperlinks also contain pixel tracking. Should the recipient not identify this as a phishing attack and click on the link, the tracking will confirm the email was received and provide the cybercriminal with metadata, including the recipient’s IP address, browser name, and operating system version, which can be used in subsequent attacks.

Following the scouting emails, our threat analysts then observed impersonation attacks using spoofed aliases for individuals whose accounts sent out-of-office responses.

What do Impersonation-Based BEC Attacks Look Like?

The impersonation attacks show a far greater level of sophistication when compared with the scouting emails. As well as the intelligence gathered using the out-of-office replies, from the level of accurate detail contained within the attacks it is evident that the cybercriminal has conducted additional research about their targets using open-source intelligence (OSINT) and uses this to create a seemingly plausible backstory for their request to change payroll details.

Going-On-Holiday-image-2The attacks used a spoofed email address for the impersonated individual and, despite wording to the contrary, was sent from a desktop computer, not a mobile device.

Egress Analysis: Creating Highly Credible BEC Attacks using Scouting, OSINT, Pretexting, and Impersonation

Targeted research using scouting emails and OSINT

By using scouting emails, the attacker can establish:

  • Whether a mailbox is active or not
  • Whether the recipient clicked the hyperlink and, if they did, this proves the email was received (and not quarantined or sent to Junk), with pixel tracking also revealing the recipient’s IP address, browser name, and operating system version
  • What automatic reply (if any) is set up for an active mailbox, which, in this instance, is used to impersonate individuals who are on PTO

The scouting emails are used as the first stage in this two-step phishing campaign and are used as an intelligence-gathering exercise.

This intelligence is then augmented by OSINT, which is likely to have been gathered via social media. Through this process, they have identified several facts about the individuals involved or mentioned in the attack:

  • Ronn cycles as a hobby
  • Zachary reports into Peter
  • Zachary handles payroll for the organization
  • Peter is a new starter at the organization, and their joining was announced on social media 48 hours before the BEC attack was sent

Pretexting to Build Credibility and Socially Engineer the Victim

In the 2023 Data Breach Investigations Report, Verizon revealed that pretexting had almost doubled since the previous year.

The second attack in this campaign shows a high level of pretexting, with the cybercriminal attempting to build a credible backstory for their request and socially engineer the victim, including:

  • Ronn forgetting their work phone to excuse the ad-hoc communication and convince Zachary that they can’t contact Ronn via details provided by the organization
  • Sharing a new mobile number (controlled by the cybercriminals) for any questions to reassure Zachary that the request is legitimate and to ‘move the attack’ to an application/device that is less likely to have security applied to it (versus the risk that an advanced email security solution detects the attack)
  • Offering an immediate explanation for the different name on the bank account and assurance that this has been verified with Peter
  • The addition of ‘Sent from my iPhone’, when technical analysis shows the email was sent from a desktop adds credibility to the story that Ronn is traveling

The email also contains language designed to further social engineer the victim, including:

  • A request for help (‘Hoping you can help’), which is designed to trigger an emotional response from the victim
  • ‘This will need to be processed today’, ‘this months payroll’, and ‘same day transfer’ to create a sense of urgency that will encourage the victim to act quickly without querying the request

Detecting BEC attacks that Leverage Social Engineering

Cybercriminals use the tactics displayed in this campaign to increase both deliverability and likelihood the recipient will fall victim.

Both the scouting emails and the subsequent impersonation attacks bypassed signature-based and reputation-based detection used by the perimeter security offered by Microsoft 365 and SEGs.

The social engineering tactics, including elaborate pretexting, used in the second phase of the campaign can make it incredibly difficult for the recipients to recognize this as a phishing attack.

As a result, organizations should ensure they have the appropriate processes and defenses in place. Any changes to financial details or payments should be queried using alternative mechanisms to those supplied in the initial request (i.e. not by reply email or using new contact details supplied).

Organizations should also enhance their anti-phishing defenses using behavior-based email security. Integrated cloud email security solutions, such as Egress Defend, use natural language processing (NLP) and natural language understanding (NLU) to detect the linguistic indicators of social engineering. Integrating seamlessly into Microsoft 365, ICES solutions offer an additional layer of defense to protect organizations from advanced phishing attacks.


Egress KB4 (2024)As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email.

Egress, a KnowBe4 company, is the only cloud email security provider to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

LEAVE A REPLY

Please enter your comment!
Please enter your name here