Microsoft Office 365 Message Encryption (OME) doesn’t ensure confidentiality

A bug in the message encryption mechanism used by Microsoft in Office 365 can allow to access the contents of the messages.

Researchers at the cybersecurity firm WithSecure discovered a bug in the message encryption mechanism used by Microsoft in Office 365 that can allow to access message contents due.

The experts pointed out that Microsoft Office 365 Message Encryption (OME) relies on Electronic Codebook (ECB) mode of operation. The ECB mode is considered insecure and can reveal the structure of the messages sent, potentially leading to partial or full message disclosure.

The OME method is used to send and receive encrypted email messages and the vulnerability can allow attackers to decipher the content of encrypted emails.

“Malicious 3rd party gaining access to the encrypted email messages may be able to identify content of the messages since ECB leaks certain structural information of the messages. This leads to potential loss of confidentiality.” reads the post published by WithSecure.

“Since the encrypted messages are sent as a regular email attachments, the messages sent may be stored in various email systems, and may have been intercepted by any party between the sender and the recipient. An attacker with a large database of messages may infer their content (or parts of it) by analyzing relative locations of repeated sections of the intercepted messages.”

The experts demonstrated how to exploit the flaw by extracting an image from an Office 365 Message Encryption-protected email. The experts pointed out that despite the message was encrypted with AES, which is secure, the use of the ECB mode exposed the content of the message.

According to WithSecure, the issue impacts most OME encrypted messages, to worsen the situation, the attack can be also performed offline on any encrypted messages. This means that the exploitation of the issue can allow attackers to decrypt already sent messages.

WithSecure reported its findings to Microsoft, but the IT giant responded that the issue is not considered a breach.

“The report was not considered  meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.” states Microsoft.

“End user or administrator of the email system has no option to enforce more secure mode of operation. Since Microsoft has no plans to fix this vulnerability the only mitigation is to avoid using Microsoft Office 365 Message Encryption.” concludes WithSecure.

Nevertheless, users should be cautious, and organizations using OME for email encryption should avoid using it as the sole method of email confidentiality until Microsoft releases a fix or a better option is available.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Office 365)

[adrotate banner=”5″]

[adrotate banner=”13″]