HiddenText Ltd

Dear Infosec Hiring Managers

Out Of Office notices for OSINT

/

, , ,

Well it’s summer holiday time and conference time. I hope you are all looking forward to the peace and quiet of empty offices and reduced interruptions followed by 4 weeks of “How was your trip?”

I am sure that you will be careful with your out-of-office notice, but what about your colleagues?

What will their Out of Office messages leak about your organisation?

 

Here is an example of one I have received recently (anonymised of course!)

Hi there,

I am off-site with limited connectivity, back in the office on Thursday ### August.

You can reach me on mobile, or please contact one of my colleagues below:

For CLIENT 1 and CLIENT 2 – please contact NAME1, FirstName.SecondName@Domain.com or Phone

For CLIENT 3 – please contact Director’s Name, FirstName.SecondName@Domain.com or Phone

For CLIENT 4 – please contact NAME2, FirstName.SecondName@Domain.com or Phone

 

For any other enquiries, please contact Director’s Name, FirstName.SecondName@Domain.com or Phone

Fairly simple email ? I bet you have hundreds in your email and at a guess, your organisation will also be sending out a fair few too!

 

Well … let’s look beyond the usefulness of the email, let’s think about what data could be being leaked here …

  1. There are 4 client names that this company works alongside
  2. There are 2 alternative colleagues details that relate to this person what could be used for background intelligence
  3. Listed is also a director’s direct contact details

Ah yes, but so what ?!

Great question.. but it is important to not be thinking that just corporate people may be emailing this person – Spammers? Criminals? So let me explain the dangers of each section.

  1. Corporate espionage. If you were a rival company, I now have 4 clients I can target and know that you are not there to defend yourself.
  2. Having one email address does not guarantee the structure of all email addresses across an organisation – but having a variety of email addresses from potentially different parts of the organisation (directors, managers etc) will give a potential attacker the format and structure to then target other people in the organisation, e.g. Finance Director.
  3. Spammers etc have now been able to confirm your email address works plus obtain a set more.

So what’s the alternative?

An out-of-office is meant to advise someone who is trying to reach you that you are not available and that you there is an alternative contact.

So think about how that been communicated securely. You don’t need to send out contact details, client names etc, why not direct correspondence instead to an out of office email address ? Department@

Maybe direct people to a switchboard with expertise in taking messages and directing information around your company.

Your turn…

  • What’s the most outrageous out-of office you received?
  • What information has leaked from your suppliers/contractors/customers?
  • What are you doing?
  • What does your Out Of Office notice say?
  • What do those on your team say?

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Warning: some page functionalities could not work due to your privacy choices: