Out Of Office: How to set a safe OOO message

If you are stepping out of the office this summer, here is how to set an out of office (OOO) message—and do it safely.

Thank you for your email.

At this moment, I am away at the ABC Midwest Manager’s Conference in Louisville, KY and will return July 17. If you have any urgent questions, please give me a call at 123.456.7890. If you cannot reach me, email Jim at jim@thecompany.com or call Beth at 456.789.1011. I will look forward to catching up with you upon my return.

Kind regards.

Susan Johns

COO – The Company

123.456.7890

That was very kind of you. Your clients and admiring cybercriminals genuinely appreciate all of the information that you have provided to them.

Unfortunately, thorough autoreplies can provide scammers with enough information to do some serious damage. Business email compromise (BEC) schemes often leverage strategic moments when someone is out of the office to attack. When everyone is out of their normal workflow, they are more vulnerable to unusual requests. OOO messages can provide them with key intel for precision attacks.

In addition to the basic information that someone is out of the office, they now have some idea of the authority structure in your office, who answers to who, and preferred communication methods. They also have several ways to contact you and your employees directly—allowing them to use more advanced social engineering methods to increase the likelihood of an effective spear phishing attack.

Beyond brewing a potential OOO scheme against your own company, savvy cybercriminals can also hijack your OOO message to compromise your contacts as well.

Keep your OOO safe

None of this means that you can never use an OOO message. However, it does means that you and your staff should evaluate whether setting an OOO message should be standard policy for your organization.

Does the benefit outweigh the risk? It very well might. If it does, and you feel that you should continue to use them, consider the following before activating it next time.

1. Do you need to send OOO messages to people outside of your organization, or can you restrict your OOO message to only go to people within your organization? (This is a simple checkbox setting in most email systems).
2. Do not include information on your whereabouts.
3. Do not include information about chain of command within your organization or alternative contacts.
4. Check your automatic signature to see whether or not you would want a potential cybercriminal to have that information. If it contains more information than you would want them to have, consider disabling it for your OOO message.
5. Keep it as concise and polite as possible. A version of the simple “I’m sorry that I cannot reply right now, but will be checking my message as soon as possible and make sure that your concern is addressed,” will likely suffice in most instances.

Now that we have discussed the security concerns of an OOO message, here is how you can actually set one for Gmail or Outlook.

Set an Out of Office Message in Outlook (through your browser)

1. Sign into Outlook at https://outlook.office.com/
2. At the top right of the page, select Settings > View all Outlook settings > Mail > Automatic replies.
3. Select the Turn on automatic replies toggle.
4. Select the Send replies only during a time period check box, and then enter a start and end time. If you don't set a time period, your automatic reply remains on until you turn it off by selecting the Automatic replies on toggle.
5. Select the check box for any of the following options that you're interested in:
6. Block my calendar for this period
7. Automatically decline new invitations for events that occur during this period
8. Decline and cancel my meetings during this period
9. In the box at the bottom of the window, type a message to send to people during the time you are away.
10. If you like, you can use the formatting options at the top of the box to change the font and color of the text or customize your message in other ways.
11. If you decide that you want senders outside of your organization to get automatic replies, select the check box for Send replies outside your organization. When you are done, select Save at the top of the window.

If you did not set a time period for automatic replies (Step 4), you will need to turn them off manually. To turn off automatic replies, sign into Outlook in your browser, choose Settings > View full settings > Mail > Automatic replies and then select the “Automatic Replies” on toggle.

Set up an Out of Office Message in Outlook (Desktop App)

1. Select File > Automatic Replies.
2. Select Send automatic replies.
3. If you do not want the messages to go out right away, select only send during this time range.
4. Choose the dates and times that you would like to set your automatic reply for.
5. Type in a message. You can format the text using the tool bar, or cut and paste text you have formatted, including hyperlinked text.
6. Select OK.



To set an automatic reply for contacts outside your company, select Outside My Organization > Auto-reply to people outside my organization, type in a message, and select OK.

Set up an Out of Office Message in Gmail

1. On your computer, open Gmail.
2. In the top right, click Settings > See all settings.
3. Scroll down to the "Vacation responder" section.
4. Select Vacation responder on.
5. Fill in the date range, subject, and message.
6. Under your message, check the box if you only want your contacts to see your vacation reply.
7. At the bottom of the page, click Save Changes.

Note: If you have a Gmail signature, it will be shown at the bottom of your vacation response.

Turn off your Gmail vacation reply

When your vacation reply is on, you will see a banner across the top of your inbox that shows the subject of your vacation response. To turn off your vacation response, click End now.