Microsoft Office 365: Insecure encryption for emails

Microsoft Office 365: Insecure encryption for emails

Share post

The labs of the security company WithSecure have bad news: The encryption used for emails in Microsoft Office 365 is not secure because it has a security hole. According to WithSecure, Microsoft does not plan to fix the vulnerability, although the National Institute of Standards and Technology NIST lists the vulnerability as serious in its Vulnerability Database.

Microsoft Office 365 Message Encryption (OME) uses the Electronic Codebook (ECB) operating mode. This mode is generally insecure and can reveal information about the structure of the messages being sent, which can result in partial or full disclosure of the message. Like in the "Announcement of Proposal to Revise Special Publication 800-38A" NIST states: “In the NIST National Vulnerability Database (NVD), the use of ECB to encrypt sensitive information represents a serious security vulnerability; see for example CVE-2020-11500 . "


Insecure encryption method

Microsoft Office 365 provides a method for sending encrypted messages. This feature is advertised to enable organizations to securely send and receive encrypted email messages between people inside and outside of your organization. Unfortunately, the OME messages are encrypted in the insecure Electronic Codebook (ECB) mode of operation.

Malicious third parties who gain access to the encrypted email messages may be able to identify the content of the messages as the ECB reveals certain structural information of the messages. This leads to a potential loss of confidentiality.


Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month

By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.


This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at:

Data processing

We have concluded an order processing contract (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.

Encryption: Email attachments can be analyzed

🔎 Impressively tricked: An extracted image from an Office 365 Message Encryption protected email (Image: WithSecure).

Since the encrypted messages are sent as regular email attachments, the sent messages may have been stored in different email systems and intercepted by any party between the sender and the recipient. An attacker with a large message database can infer its content (or parts of it) by analyzing the relative positions of repeated sections of intercepted messages.

Most OME-encrypted messages are affected, and the attack can be carried out offline on any previously sent, received, or intercepted encrypted message. There is no way for the organization to prevent the analysis of messages already sent. Even using rights management functions does not solve the problem.

Depending on the content being sent over encrypted messages, some organizations may need to consider the legal implications of the vulnerability. It is possible that the vulnerability resulted in privacy implications as described in the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or similar legislation.

Error: Repeated encryption blocks

The Electronic Codebook (ECB) mode of operation means that each encryption block is encrypted individually. Repeating blocks of the plaintext message are always mapped to the same ciphertext blocks. In practice, this means that the actual plain text is not revealed directly, but information about the structure of the message is.

Even if a particular message would not directly reveal information in this way, with a large number of messages an attacker is able to perform an analysis of the relationship of the repeated patterns in the files to identify specific files. This can lead to the ability to derive (parts of) plaintext from encrypted messages. Knowledge of the encryption key is not required to exploit this vulnerability and therefore Bring Your Own Key (BYOK) or similar encryption key protections are of no remedial action.

No remedy in sight from Microsoft

After repeated inquiries about the status of the vulnerability, Microsoft finally responded with the following: "The report was not considered to meet the security service requirements and is not considered a violation. No code change was made and therefore no CVE was issued for this report.”

The end user or email system administrator has no way of enforcing a more secure mode of operation. Since Microsoft does not plan to fix this vulnerability. The only solution to the problem is to stop using Microsoft Office 365 Message Encryption and use another solution.

WithSecure, formerly F-Secure Business, has a more detailed, technical description of the issue on its website.

More at


About WithSecure

WithSecure, formerly F-Secure Business, is the trusted partner in cyber security. IT service providers, managed security services providers and other companies trust WithSecure - as do large financial institutions, industrial companies and leading communication and technology providers. With its results-oriented approach to cyber security, the Finnish security provider helps companies to put security in relation to operations and to secure processes and prevent business interruptions.


Matching articles on the topic

iPhones: Secret malware discovered – search tool is ready

A few days ago, Kaspersky discovered sophisticated malware on company iPhones. The campaign, dubbed Operation Triangulation, is apparently still ➡ Read more

China malware: Volt Typhoon targets critical US infrastructure

Microsoft investigated the Volt Typhoon malware and determined that it was created by a state-sponsored actor based in China ➡ Read more

Five years GDPR

The European Union's General Data Protection Regulation is exhausting, but a success story. The European Commission should mark the fifth anniversary of the GDPR ➡ Read more

World of work: Return to the office

The "Everywhere Work Report" paints a rather gloomy picture of the hybrid working world in 2023. Because between the expectations of the employees ➡ Read more

The GDPR and the AI ​​Act

The GDPR has now been in force for five years and the European Commission wants to improve the regulation in the first half of the year. ➡ Read more

German companies: 84 percent expect a cyber attack

The Trend Micro Cyber ​​Risk Index (CRI) for the second half of 2022 is here. 84 percent of Germans expect ➡ Read more

New corporate email phishing tactics

Cyber ​​criminals are constantly introducing new techniques and tactics in their phishing attacks to fool victims and bypass security measures. Barracuda ➡ Read more

Microsoft can open encrypted ZIP files

Security researchers have found that Microsoft is probably able to open encrypted ZIP archives stored on Onedrive or Sharepoint and ➡ Read more