Microsoft Office 365 email encryption may not be as watertight as it seems

By Scott Marlette Last updated Oct 15, 2022

There is a flaw in the way Microsoft handles secure emails (opens in new tab) sent through Microsoft Office 365, a security researcher has claimed.

As reported by ComputerWeekly, with a sufficiently large sample, a threat actor could apparently abuse the loophole to decipher the contents of encrypted emails.

However, Microsoft has played down the importance of the findings, saying it’s not really a flaw. For the time being, the company has no intention of putting in place a remediation.

More emails, easier discovery

The flaw was discovered by security researcher Harry Sintonen of WithSecure (formerly F-Secure) in Office 365 Message Encryption (OME).

Organizations usually use OME when looking to send encrypted emails, both internally and externally. But given the fact that OME encrypts each cipher block individually, and with repeating blocks of the message corresponding to the same cipher text blocks every time, a threat actor can theoretically reveal details about the message’s structure.

This, Sintonen further claims, means that a potential threat actor with big enough a sample of OME emails could deduce the contents of the messages. All they’d need to do is analyze the location and frequency of repeating patterns in each message, and match them to other messages.

“More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on email archives stolen during a data breach, or by breaking into someone’s email account, email server or gaining access to backups,” Sintonen said.

If a threat actor obtains email archives stolen during a data breach, that means they’d be able to analyze the patterns offline, further simplifying the work. That would also render Bring Your Own Encryption/Key (BYOE/K) practices obsolete, too.

Unfortunately, if a threat actor gets their hands on these emails, there’s really not much businesses can do.

Apparently, the researcher reported the problem to Microsoft early this year, to no avail. In a statement provided to WithSecure, Microsoft said the report was “not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report”.

Via ComputerWeekly (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.