Cybercriminals don’t take holidays: How bad actors use this two-step phishing campaign to weaponize out-of-office replies

James Dyer | 28th Jul 2023

The Egress Threat Intelligence team has detected an 83.6% increase in scouting phishing emails between May 1st – June 30, 2023, compared with March 1st – April 30th, 2023. These emails aim to identify organizations’ and individuals’ personal time off (PTO) patterns or other absences from work through the automatic out-of-office responses they receive. The scouting attacks were sent from multiple spoofed email addresses from servers located in Russia and Japan.

In the second step of this campaign, the cybercriminals applied the intelligence they had gathered about absences to send phishing emails impersonating absentees. These impersonation attacks originated from the same servers as the scouting emails.

Quick attack summary

Vector and type: Email phishing

Techniques: Scouting attacks, impersonation attacks

Payloads: Phishing links and payloadless attacks for business email compromise (BEC)

Targets: Organizations in USA and UK

Platform: Microsoft 365

Bypassed SEG and native security: Yes

What do the scouting emails look like?

On their own, the scouting emails do not appear particularly sophisticated. Each email contained a hyperlink and, while our analysts observed that a unique link was used in every scouting email, they were all composed of the same pattern of pseudo-random characters and numbers, with no more than six digits in each. The links were all hosted on ‘app.link’.

Scouting email sent as part of two-step phishing campaign, with anti-phishing banners added by Egress Defend

Scouting email sent as part of a two-step phishing campaign, with anti-phishing banners added by Egress Defend

These attacks were sent from a compromised legitimate domain, enabling them to bypass both Microsoft 365 and secure email gateway (SEG) detection to enter recipients’ inboxes. While they appear simplistic and will possibly be identified as phishing emails by the recipient, they have achieved their primary aim to trigger an out-of-office reply.

Analysis by our Threat Intelligence team revealed the hyperlinks also contain pixel tracking. Should the recipient not identify this as a phishing attack and click on the link, the tracking will confirm the email was received and provide the cybercriminal with metadata, including the recipient’s IP address, browser name, and operating system version, which can be used in subsequent attacks.

Following the scouting emails, our threat analysts then observed impersonation attacks using spoofed aliases for individuals whose accounts sent out-of-office responses.

What do the impersonation-based business email compromise (BEC) attacks look like?

The impersonation attacks show a far greater level of sophistication when compared with the scouting emails. As well as the intelligence gathered using the out-of-office replies, from the level of accurate detail contained within the attacks it is evident that the cybercriminal has conducted additional research about their targets using open-source intelligence (OSINT) and uses this to create a seemingly plausible backstory for their request to change payroll details.

Impersonation-based business email compromise (BEC) attack, with anti-phishing banners added by Egress Defend

Impersonation-based business email compromise (BEC) attack, with anti-phishing banners added by Egress Defend

The attack uses a spoofed email address for the impersonated individual and, despite wording to the contrary, was sent from a desktop computer, not a mobile device.

Egress analysis: Creating highly credible BEC attacks using scouting, OSINT, pretexting, and impersonation

Targeted research using scouting emails and OSINT

By using scouting emails, the attacker can establish:

  • Whether a mailbox is active or not
  • Whether the recipient clicked the hyperlink and, if they did, this proves the email was received (and not quarantined or sent to Junk), with pixel tracking also revealing the recipient’s IP address, and browser name, and operating system version
  • What automatic reply (if any) is set up for an active mailbox, which in this instance, is used to impersonate individuals who are on PTO

The scouting emails are used as the first stage in this two-step phishing campaign and as an intelligence-gathering exercise.

This intelligence is then augmented by OSINT, which is likely to have been gathered via social media. Through this process, they have identified several facts about the individuals involved or mentioned in the attack:

  • Ronn cycles as a hobby
  • Zachary reports into Peter
  • Zachary handles payroll for the organization
  • Peter is a new starter at the organization and their joining was announced on social media 48 hours before the BEC attack was sent

Pretexting to build credibility and socially engineer the victim

In the 2023 Data Breach Investigations Report, Verizon revealed that pretexting had almost doubled since the previous year. You can get more insights from Verizon's annual report in our on-demand webinar with renowned cybersecurity expert, Chris Novak.

The second attack in this campaign shows a high level of pretexting, with the cybercriminal attempting to build a credible backstory for their request and socially engineer the victim, including:

  • Ronn forgetting their work phone to excuse the ad-hoc communication and convince Zachary that they can’t contact Ronn via details provided by the organization
  • Sharing a new mobile number (controlled by the cybercriminals) for any questions to reassure Zachary that the request is legitimate and to 'move the attack’ to an application/device that is less likely to have security applied to it (versus the risk that an advanced email security solution detects the attack)
  • Offering an immediate explanation for the different name on the bank account and assurance that this has been verified with Peter
  • The addition of ‘Sent from my iPhone’, when technical analysis shows, the email was sent from a desktop to add credibility to the story that Ronn is traveling

The email also contains language designed to further social engineer the victim, including:

  • A request for help (‘Hoping you can help’), which is designed to trigger an emotional response from the victim
  • ‘This will need to be processed today’, ‘this month's payroll’, and ‘same day transfer’ to create a sense of urgency that will encourage the victim to act quickly without querying the request

Detecting BEC attacks that leverage social engineering

Cybercriminals use the tactics displayed in this campaign to increase both deliverability and the likelihood the recipient will fall victim.

Both the scouting emails and the subsequent impersonation attacks bypassed signature-based and reputation-based detection used by the perimeter security offered by Microsoft 365 and SEGs.

The social engineering tactics, including elaborate pretexting, used in the second phase of the campaign can make it incredibly difficult for the recipients to recognize this as a phishing attack.

As a result, organizations should ensure they have the appropriate processes and defenses in place. Any changes to financial details or payments should be queried using alternative mechanisms to those supplied in the initial request (i.e. not by reply email or using new contact details supplied).

Organizations should also enhance their anti-phishing defenses using behavior-based email security. Integrated cloud email security solutions, such as Egress Defend, use natural language processing (NLP) and natural language understanding (NLU) to detect the linguistic indicators of social engineering. Integrating seamlessly into Microsoft 365, ICES solutions offer an additional layer of defense to protect organizations from advanced phishing attacks.