BEC Scammers Find New Ways to Navigate Microsoft 365

Their techniques made use of out-of-office replies and automatic responses during the 2020 holiday season, researchers report.

Dark Reading Staff, Dark Reading

January 27, 2021

1 Min Read
Dark Reading logo in a gray background | Dark Reading

Business email compromise (BEC) scammers targeted victims' out-of-office replies and read receipts during the 2020 holiday season, when many took time off work and automatic replies were more prevalent, researchers report.

Attackers targeted victims by redirecting their own Microsoft 365 out-of-office messages back to them, Abnormal Security noticed. A scammer would write an extortion email and manipulate the email headers ("Reply-To"). If the target has an out-of-office reply turned on, the alert can be redirected to a second target within the organization — not back to the attacker, researchers report. 

"Even though the original extortion email was auto-remediated, the manipulated email header triggered an Out of Office reply to a second target that includes the text of the extortion," they write in a blog post. 

Similarly, in a "read receipts" attack, the scammer would write an extortion email and change the email headers ("Disposition-Notification-To") so the target would receive a read receipt notification from Microsoft 365 instead of the attacker. The manipulated email header would trigger a read-receipt notification back to the target, which includes the text of the extortion. 

Read more details here.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights