Years ago, I encountered a crazy case where a key member of an IT consulting company decided to share confidential information in their Out of Office (OOF) messages, such as their personal email address and phone number.
While this person was enjoying their vacation, bad actors were receiving the OOF messages as they attempted to send spoofed emails to their address.
🎉 The party began: the bad actors gained access to the personal mailbox of the individual by using their phone number as the password. And to make matters worse (drumroll, please…), the person had a mailbox rule forwarding company emails to their personal mailbox.
About six months later, the company shut down after multiple payments were made to unknown accounts, and confidential information from several clients was exposed.
Reflecting on this experience, I created the following query to increase awareness about the destination of these auto-reply messages, which often contain sensitive information such as:
– The period during which the person will be out (a prime time to target their account)
– Secondary email addresses for contact
– Phone numbers
And more…
My suggestion? If you plan to maintain external OOF auto-reply messages, ensure you have strong security awareness training to educate users on what information should be shared. (Yes, DLP and other tools can help too!)
EmailEvents
// add your automatic replies cases in your languages
| where Subject startswith "Automatic reply:"
| where DeliveryAction has "Delivered" and EmailDirection has "Outbound"| extend Username = split(RecipientEmailAddress, "@")[0], Domain = tostring(split(RecipientEmailAddress, "@")[1])
| extend DomainParts = split(RecipientEmailAddress, ".")
| extend DomainExtensions = tostring(DomainParts[-1])
| summarize count() by DomainExtensions ,EmailDirection, DeliveryAction,DeliveryLocation, ThreatTypes
// if you want to have deeper information instead of a general view, you can use the next line and remove/comment the previous one
//| distinct SenderDisplayName, SenderMailFromDomain, SenderIPv4, RecipientEmailAddress,DomainExtensions,Domain,Subject, EmailDirection, DeliveryAction, DeliveryLocation, ThreatTypes