Microsoft Office 365 email encryption may not be as watertight as it seems
>
There is a flaw in the way Microsoft handles secure emails (opens in new tab) sent through Microsoft Office 365, a security researcher has claimed.
As reported by ComputerWeeklywith a large enough sample, a threat actor could apparently exploit the loophole to decipher the contents of encrypted emails.
However, Microsoft has downplayed the significance of the findings, saying it’s not really a bug. For now, the company has no plans to carry out any remediation.
More emails, easier discovery
The flaw was discovered by security researcher Harry Sintonen of WithSecure (formerly F-Secure) in Office 365 Message Encryption (OME).
Organizations usually use OME when they want to send encrypted emails, both internally and externally. But given that OME encrypts each cipher block individually, and with repeating blocks of the message matching the same ciphertext blocks each time, a threat actor can theoretically reveal details about the structure of the message.
This, Sintonen claims, further means that a potential threat actor with a large enough sample of OME emails could infer the content of the messages. All they have to do is analyze the location and frequency of repeating patterns in each message and match them with other messages.
“More emails make this process easier and more accurate, so it’s something attackers can do after getting their hands on email archives stolen during a data breach, or breaking into someone’s email account, email server.” or access backups,” Sintonen said.
If a threat actor obtains email archives stolen during a data breach, that means they can analyze the patterns offline, further simplifying their work. That would also make the Bring Your Own Encryption/Key (BYOE/K) practices obsolete.
Unfortunately, if a threat actor gets their hands on these emails, there’s not much companies can do.
Apparently, the researcher reported the problem to Microsoft early this year, to no avail. In a statement to WithSecure, Microsoft said the report “was not considered to meet the security services bar, nor is it considered a breach. No code change was made and thus no CVE was issued for this report.”
Through ComputerWeekly (opens in new tab)