Microsoft Office 365 flaw lets hackers sidestep email encryption

Photo credit: Getty Images

Sign up now to get low-code/no-code free The virtual pass will be at the summit on November 9th. Hear from executives from Service Now, Credit Karma, Stitch Fix, Appian and more. Learn more.

Few solutions are as adopted by enterprises as Office 365. According to Statista, more than 879,851 companies in the US use Office 365 products to collaborate and stay productive. However, new research suggests that the platform could make encrypted emails vulnerable to decryption by hackers.

Researchers from cloud and endpoint protection provider WithSecure have discovered an unpatchable vulnerability in Microsoft Office 365 Message Encryption (OME). The flaw allows hackers to infer the contents of encrypted messages.

OME uses an Electronic Code Book (ECB) block cipher, which leaks information about the structure of a message. This means that if an attacker obtains many emails, they can infer the content of the message by analyzing the location and frequency of patterns in the message and matching it with other emails.

For businesses, this highlights that just because your emails are encrypted, doesn’t mean they’re safe from threat actors. If someone steals your email archives or backups and gains access to your email server, they can use this technique to circumvent encryption.

register here

How easy is it for an attacker to decrypt Office 365 emails? Microsoft Exchange Server.

WithSecure originally shared the Office 365 vulnerability it discovered with Microsoft in January 2022. Microsoft acknowledged and paid researchers through its bug bounty program, but has yet to release a fix.

It’s worth noting that Microsoft isn’t the only provider to be criticized for using ECB. Just a few years ago, Zoom was heavily criticized for choosing AES-128 ECB to encrypt calls and expose private video to unauthorized individuals.

While this Office 365 vulnerability does not directly decrypt message content, if an attacker can cross-reference enough email patterns, protected information is at risk of being leaked by inference.

“A malicious party gaining access to encrypted emails can extract some information from the so-called encrypted emails. Depending on the characteristics of the specific content in the emails, disclosure may be (almost) In whole or in part,” said Harry Sintonen, principal security advisor at WithSecure.

The greater the number of encrypted emails an attacker manages to obtain, the easier it is for them to compare patterns and decipher the contents of the messages. In terms of the level of risk posed by this vulnerability, Sintonen noted that particularly high-risk users would be “users who use OME to encrypt highly sensitive emails and attachments, and avoid revealing the source (or communication party) in general). A Good examples are activists or journalists,” he said.

For example, if a journalist sends a highly sensitive document to a contact, a state-backed threat actor can fingerprint it, scan other encrypted emails, and identify to whom the target has Send File.

Assuming worst case

With a 20.5% increase in the number of data breaches from 2020 to 2021, businesses cannot assume their encrypted emails are safe from threat actors influences.

For this reason, Sintonen recommends using OME’s Enterprise Investigation Threat Level. This involves not only identifying what types of material are shared via email, but also predicting what information or documents might be made public, and mapping the impact.

Ultimately, organizations must decide whether Office 365’s built-in encryption provides an acceptable level of risk for their collaboration needs, or whether they need to find a secure alternative to encrypted email delivery .

The Mission of VentureBeat will be a digital town square for technology decision makers to access transformative enterprise technology knowledge and transactions. Read about our newsletter.