Microsoft Office 365: Insecure encryption for emails

Microsoft Office 365: Insecure encryption for emails

Share post

The labs of the security company WithSecure have bad news: The encryption used for emails in Microsoft Office 365 is not secure because it has a security hole. According to WithSecure, Microsoft does not plan to fix the vulnerability, although the National Institute of Standards and Technology NIST lists the vulnerability as serious in its Vulnerability Database.

Microsoft Office 365 Message Encryption (OME) uses the Electronic Codebook (ECB) operating mode. This mode is generally insecure and can reveal information about the structure of the messages being sent, which can result in partial or full disclosure of the message. Like in the "Announcement of Proposal to Revise Special Publication 800-38A" NIST states: “In the NIST National Vulnerability Database (NVD), the use of ECB to encrypt sensitive information represents a serious security vulnerability; see for example CVE-2020-11500 . "

Insecure encryption method

Microsoft Office 365 provides a method for sending encrypted messages. This feature is advertised to enable organizations to securely send and receive encrypted email messages between people inside and outside of your organization. Unfortunately, the OME messages are encrypted in the insecure Electronic Codebook (ECB) mode of operation.

Malicious third parties who gain access to the encrypted email messages may be able to identify the content of the messages as the ECB reveals certain structural information of the messages. This leads to a potential loss of confidentiality.

Encryption: Email attachments can be analyzed

🔎 Impressively tricked: An extracted image from an Office 365 Message Encryption protected email (Image: WithSecure).

Since the encrypted messages are sent as regular email attachments, the sent messages may have been stored in different email systems and intercepted by any party between the sender and the recipient. An attacker with a large message database can infer its content (or parts of it) by analyzing the relative positions of repeated sections of intercepted messages.

Most OME-encrypted messages are affected, and the attack can be carried out offline on any previously sent, received, or intercepted encrypted message. There is no way for the organization to prevent the analysis of messages already sent. Even using rights management functions does not solve the problem.

Depending on the content being sent over encrypted messages, some organizations may need to consider the legal implications of the vulnerability. It is possible that the vulnerability resulted in privacy implications as described in the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or similar legislation.

Error: Repeated encryption blocks

The Electronic Codebook (ECB) mode of operation means that each encryption block is encrypted individually. Repeating blocks of the plaintext message are always mapped to the same ciphertext blocks. In practice, this means that the actual plain text is not revealed directly, but information about the structure of the message is.

Even if a particular message would not directly reveal information in this way, with a large number of messages an attacker is able to perform an analysis of the relationship of the repeated patterns in the files to identify specific files. This can lead to the ability to derive (parts of) plaintext from encrypted messages. Knowledge of the encryption key is not required to exploit this vulnerability and therefore Bring Your Own Key (BYOK) or similar encryption key protections are of no remedial action.

No remedy in sight from Microsoft

After repeated inquiries about the status of the vulnerability, Microsoft finally responded with the following: "The report was not considered to meet the security service requirements and is not considered a violation. No code change was made and therefore no CVE was issued for this report.”

The end user or email system administrator has no way of enforcing a more secure mode of operation. Since Microsoft does not plan to fix this vulnerability. The only solution to the problem is to stop using Microsoft Office 365 Message Encryption and use another solution.

WithSecure, formerly F-Secure Business, has a more detailed, technical description of the issue on its website.

More at


About WithSecure

WithSecure, formerly F-Secure Business, is the trusted partner in cyber security. IT service providers, managed security services providers and other companies trust WithSecure - as do large financial institutions, industrial companies and leading communication and technology providers. With its results-oriented approach to cyber security, the Finnish security provider helps companies to put security in relation to operations and to secure processes and prevent business interruptions.


Matching articles on the topic

NIS2 Directive: 6 tips for implementation in companies

The EU NIS2 Directive will soon require many companies to meet higher cybersecurity standards - the law is expected to be ready in October 2024 ➡ Read more

Win 11 Copilot+ Recall: Microsoft is building IT security under pressure

Shortly after Microsoft boss Satya Nadella introduced Copilot+ Recall for Windows 11, experts in IT security had devastating verdicts ➡ Read more

Cybersecurity: Lack of alignment between CEOs and CISOs

87 percent of CISOs surveyed in the Dynatrace CISO Report 2024 stated that CEOs are blind to user security. 70 percent of the ➡ Read more

BSI and Zero Day Initiative warn of critical Azure vulnerability  

The Zero Day Initiative (ZDI) collects and verifies reported vulnerabilities. Now there is probably a critical vulnerability in Azure with this ➡ Read more

Microsoft's Copilot+ Recall: Dangerous total surveillance?

Microsoft sees it as a super service, security experts as a disaster: Microsoft's Copilot+ Recall for Windows 11 records the activities every 5 seconds ➡ Read more

Cyber ​​insurance: What helps against rising costs?

Cyber ​​insurance protects companies financially from cyber attacks. As the threat situation increases, insurance companies are increasing the costs of annual premiums. Company, ➡ Read more

Keylogger steals login data from Exchange servers

The PT ESC Incident Response Team has discovered a new type of keylogger in the main page of a Microsoft Exchange Server. Everyone ➡ Read more

IT security: Lack of knowledge in German companies

Around 25 percent of all management know too little about IT security and 42 percent of employees do not regularly inform themselves about it ➡ Read more