Weakness in Microsoft Office 365 Message Encryption could expose email contents

WithSecure researchers are warning organizations of a safety weak point in Microsoft Office 365 Message Encryption (OME) that could be exploited by attackers to acquire delicate data.

OME, which is utilized by organizations to ship encrypted emails internally and externally, makes use of the Electronic Codebook (ECB) implementation – a mode of operation recognized to leak sure structural details about messages.

Attackers capable of receive sufficient OME emails could use the leaked data to partially or absolutely infer the contents of the messages by analyzing the placement and frequency of repeated patterns in particular person messages, after which matching these patterns to ones discovered in different OME emails and recordsdata.

Possible assault state of affairs

“Attackers who’re capable of get their fingers on a number of messages can use the leaked ECB data to determine the encrypted contents. More emails make this course of simpler and extra correct, so it’s one thing attackers can carry out after getting their fingers on e-mail archives stolen throughout an information breach, or by breaking into somebody’s email account, email server or getting access to backups,” defined WithSecure marketing consultant and safety researcher Harry Sintonen, who found the difficulty.

According to the advisory, the evaluation might be finished offline, which means an attacker could compromise backlogs or archives of earlier message.

Unfortunately, organizations haven’t any approach to stop an attacker that comes into possession of affected emails from compromising its contents utilizing the tactic outlined in the advisory.

The advisory additionally highlights that no data of the encryption keys is required to conduct the evaluation, and that use of a Bring Your Own Key (BYOK) scheme doesn’t treatment the issue.

What to do?

Sintonen shared his analysis with Microsoft in January 2022. While Microsoft acknowledged the issue and paid Sintonen through their vulnerability reward program, they opted to not difficulty a repair. While organizations can mitigate the issue just by not utilizing the characteristic, it doesn’t handle the dangers of adversaries getting access to present emails encrypted with OME.

“Any group with personnel that used OME to encrypt emails are mainly caught with this drawback. For some, corresponding to people who have confidentiality necessities put into contracts or native rules, this could create some points. And then after all, there’s questions concerning the affect this information could have in the occasion it’s really stolen, which makes it a major concern for organizations,” mentioned Sintonen.

Because there isn’t any repair from Microsoft or a safer mode of operation accessible to email admins or customers, WithSecure recommends avoiding using OME as a method of guaranteeing the confidentiality of emails.


Related Posts