Scammers Target Microsoft 365 Read Receipt and Out of Office Reply Loophole for BEC Attacks - Abnormal Security

Scammers Target Microsoft 365 Read Receipt and Out of Office Reply Loophole for BEC Attacks

Abnormal Security detected two new types of attacks where scammers are targeting victims by redirecting their own Microsoft 365 Out of Office replies as well as read receipts back to them. These tactics indicate attackers are using every available tool and loophole to their advantage in the hopes of a successful BEC attempt. These attacks were observed over the U.S. holidays in December 2020, where Out of Office replies and auto-responders are more prevalent.

Read Receipts Attack

The following is an account of the read receipts attack. The scammer prepares a BEC attack (in this case, an extortion email), and manipulates the email headers (“Disposition-Notification-To”) so the target would receive a read receipt notification from M365, instead of the attacker.

The extortion email is sent, gets by traditional security solutions and lands in the employee inbox, where it is auto-remediated by Abnormal.

However, even though the original extortion email was auto-remediated, the manipulated email header triggered a read receipt notification back to the target that includes the text of the extortion. 

Abnormal now auto-remediates M365 read receipt notifications if they are preceded by a malicious email. However, for organizations without this protection, employees are vulnerable to these cleverly configured attacks that can reach the inbox.

Example of Read Receipt attack in Abnormal Security’s portal.

Out of Office Reply Attack

The following is an account of the Out of Office Reply attack. Similar to the read receipts scam, the scammer prepares a BEC attack (another extortion email), and manipulates the email headers (“Reply-To”). The difference here is, if the target has an Out of Office Reply turned ON, the notification can be directed to a second target within the organization, not the attacker.

As with the Read Receipts attack, the extortion email gets by traditional security solutions and lands in the employee inbox, where it is auto-remediated by Abnormal.

Even though the original extortion email was auto-remediated, the manipulated email header triggered an Out of Office reply to a second target that includes the text of the extortion. 

Abnormal has developed techniques to remove unwanted Out of Office and auto-reply messages stemming from malicious emails. For organizations lacking protection in this area, these emails cause alarm and confusion.

Example of original extortion attack caught by Abnormal Security.

Example of extortion attack analysis by Abnormal Security.

To protect your organization from never seen before attacks that get past traditional email security solutions such as these, request a demo to see how Abnormal Security can help you.

Related content