Out-of-office replies are a standard part of workplace communication. Whether you’re heading away on annual leave or stepping out for a conference, setting an auto-response helps manage expectations and shows that messages aren’t being ignored. It’s polite, helpful and… surprisingly risky.
When written without much consideration, out-of-office messages can expose sensitive information to the wrong people. A typical auto-response might read:
“I’m out of the office until 12th July. For anything urgent, please contact Jane Smith at jane.smith@example.co.uk”
This may seem harmless, but to a cybercriminal, this short message provides valuable insights and confirms three key points:
- The email address is active
- The account owner is currently away for a known amount of time
- A colleague, now named, may be a useful target for impersonation or phishing attacks
It may also signal that this inbox isn’t being closely monitored, potentially giving the cybercriminal a window to operate with a reduced risk of detection.
These replies can also unintentionally confirm internal relationships or team structures, making it easier for threat actors to launch convincing social engineering campaigns.
So, what’s the solution?
The first step is to separate internal and external audiences. Most email platforms, including Microsoft 365 and Google Workspace, allow you to create different messages for each audience. Internally, it’s usually fine to include a return date or an alternative contact. But externally, it’s better to keep things neutral and avoid sharing specific names or timelines. A simple message such as:
“Thank you for your email. I’m currently unavailable and will respond as soon as possible upon my return.” is often enough.
Where a point of contact is needed, direct external queries to a shared mailbox rather than naming an individual. This avoids increasing the attack opportunities and ensures that the message is picked up by a monitored inbox.
It’s also worth reviewing whether certain accounts should have out-of-office replies at all. Generic addresses such as info@, hr@ or finance@ are frequently targeted by attackers. These should be configured carefully, or auto-replies disabled entirely, depending on their use.
Finally, it’s recommended to include information about these risks in wider staff training. People don’t usually think of an out-of-office message as being a security risk, but when considering modern threats, especially that of phishing and business email compromise (BEC), which is a type of cybercrime where threat actors impersonate trusted individuals via email to trick victims into sending money or sensitive information, it’s important to treat all forms of communication with the same level of caution.
Out-of-office replies serve a purpose, but they should never serve up opportunities to attackers. With a few simple adjustments, they can remain helpful without becoming a risk.
