Researchers have discovered two business email compromise (BEC) attack techniques that exploit Microsoft 365 “read receipt” and “out of office” message loopholes to evade auto-remediation of a malicious email.
In a blog posted Tuesday, Abnormal Security reported that in using these techniques, scammers target victims with BEC extortion notes by redirecting their own Microsoft 365 “out of office” replies and “read receipts” back to them. The researchers said these attacks were observed over the U.S. holidays in December 2020, when out-of-office replies and auto-responders were more prevalent.
Through both techniques, the attackers prepared an extortion email and manipulated the email headers so the target would receive “read receipt” or “out of office” notifications from Microsoft 365 instead of the attacker. The extortion email was then sent and auto-remediated by the target’s email security system. However, the manipulated email header triggered a “read receipt” notification and “out-of-office” notification back to the target that included the text of the extortion.
Armed with knowledge of these attacks, Abnormal said it has developed techniques to protect its users from these malicious emails. Organizations lacking protection are potentially left vulnerable to these cleverly configured attacks, the researchers said.
Tom Pendergast, chief learning officer at MediaPro, explained that it’s the use of the auto-responder cycle that makes this attack so diabolical because the actual extortion prompt can be easily diagnosed.
“The reason the use of the auto-responder loop is so effective is that it enhances the ‘feeling’ of legitimacy for those who turned those on while they were away,” Pendergast said. “The scam applies a veneer of legitimacy, but employees with the right sleuthing skills and training will see through this to knock aside the attempt.”
Colin Bastable, CEO of Lucy Security said it’s an interesting attack because the hackers are exploiting Microsoft workflow and automation to deliver the message and make some money scamming unsuspecting users.
"The attacks themselves are harmless and not typical BEC attacks,” Bastable said. “They are not delivering a payload, there’s no link for the target to click so they will not cause immediate damage. They have nuisance value. The advice for anyone receiving these is to ignore them.”