Microsoft Office 365 email encryption may not be as tight as it seems

There is a flaw in the way Microsoft handles it Safe Emails (Opens in a new tab) Via Microsoft Office 365, a security researcher claimed.

As I mentioned weekly computerWith a large enough sample, a threat actor could apparently abuse the vulnerability to decrypt the encrypted contents Email messages.

However, Microsoft downplayed the results, saying they’re not really a flaw. At the moment, the company has no intention of putting together a cure.

More emails, easier discovery

The flaw was discovered by security researcher Harry Sintonen of WithSecure (formerly F-Secure) at Office 365 Message Encryption (OME).

Organizations typically use OME when looking to send encrypted email messages, both internally and externally. But given the fact that OME encrypts each cipher block individually, and with message blocks corresponding to the same ciphertext blocks repeated each time, the threat actor can theoretically reveal details about the message structure.

This, Sintonen claims, means that any potential threat actor with a large enough sample of OME emails can infer the contents of the messages. All they need to do is analyze a location and repeat the recurring patterns in each message and match them with the others.

“More emails make this process easier and more accurate, so attackers can do this after they get their hands on email archives stolen during a data breach, or by hacking someone’s email account or email server or accessing copies,” Sentonen said. backup”.

If the threat actor gets access to the stolen email archives during the data breach, this means that he will be able to analyze patterns offline, which simplifies the work even more. This will also make your crypto/key fetching (BYOE/K) practices obsolete as well.

Unfortunately, if a threat actor gets their hands on these emails, there isn’t much business they can do.

Apparently, the researcher reported the problem to Microsoft early this year, to no avail. In a statement provided to WithSecure, Microsoft said that the report “is not considered to meet the Security Services Standards, and is not considered a breach. No change was made to the code and therefore no CVE has been released for this report.”

Across weekly computer (Opens in a new tab)

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version