"Weakness in Microsoft Office 365 Message Encryption Could Expose Email Contents"
Researchers from WithSecure are warning organizations about a security flaw in Microsoft Office 365 Message Encryption (OME) that attackers could exploit to steal sensitive information. Organizations use OME to send encrypted emails internally and externally. OME utilizes the Electronic Codebook (ECB) implementation, a mode of operation known to leak certain structural information about messages. Attackers who obtain a sufficient number of OME emails could use the leaked information to partially or completely infer the contents of the messages by analyzing the location and frequency of repeated patterns in individual messages. Then they can match these patterns to those found in other OME emails and files. According to WithSecure's advisory, the analysis can be performed offline, which means that an attacker could compromise previous message backlogs or archives. Organizations cannot prevent an attacker who obtains affected emails from compromising their contents using the method described in the advisory. The advisory also emphasizes that no knowledge of the encryption keys is required to perform the analysis, and that using a Bring Your Own Key (BYOK) scheme does not solve the problem. The issue was discovered by WithSecure consultant and security researcher Harry Sintonen. He shared his findings with Microsoft, and the company acknowledged the issue and compensated Sintonen through their vulnerability reward program, but they chose not to issue a fix. Although organizations can avoid the problem by not using the feature, this does not address the risks of adversaries gaining access to existing OME-encrypted emails. This article continues to discuss the security vulnerability discovered in OME.