Microsoft Office 365 email encryption may not be as watertight as it seems
There’s a way to read the messages, a researcher claims
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
There is a flaw in the wayMicrosofthandlessecure emailssent through Microsoft Office 365, a security researcher has claimed.
As reported byComputerWeekly, with a sufficiently large sample, a threat actor could apparently abuse the loophole to decipher the contents of encryptedemails.
However, Microsoft has played down the importance of the findings, saying it’s not really a flaw. For the time being, the company has no intention of putting in place a remediation.
More emails, easier discovery
The flaw was discovered by security researcher Harry Sintonen of WithSecure (formerly F-Secure) in Office 365 Message Encryption (OME).
Organizations usually use OME when looking to send encrypted emails, both internally and externally. But given the fact that OME encrypts each cipher block individually, and with repeating blocks of the message corresponding to the same cipher text blocks every time, a threat actor can theoretically reveal details about the message’s structure.
This, Sintonen further claims, means that a potential threat actor with big enough a sample of OME emails could deduce the contents of the messages. All they’d need to do is analyze the location and frequency of repeating patterns in each message, and match them to other messages.
“More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on email archives stolen during a data breach, or by breaking into someone’s email account, email server or gaining access to backups,” Sintonen said.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
How to make your email more secure>An unhackable, quantum resistant email technology is on its way>These are the best VPN service providers right now
If a threat actor obtains email archives stolen during a data breach, that means they’d be able to analyze the patterns offline, further simplifying the work. That would also render Bring Your Own Encryption/Key (BYOE/K) practices obsolete, too.
Unfortunately, if a threat actor gets their hands on these emails, there’s really not much businesses can do.
Apparently, the researcher reported the problem to Microsoft early this year, to no avail. In a statement provided to WithSecure, Microsoft said the report was “not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report".
ViaComputerWeekly
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind
