IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Office 365's encryption feature can be easily hacked, warns WithSecure

Researchers advise enterprises to move away from Office 365 Message Encryption, claiming its messages can be decrypted without a key

A hand pressing a phone with the Office 365 logo shown on it, with the Office 365 logo on an orange wall in the background

Researchers at cyber security firm WithSecure have issued an advisory, warning that the method used to generate encrypted messages in Microsoft Office 365 can be cracked relatively easily.

Microsoft Office 365 Message Encryption (OME), a feature offered within the Office 365 suite, allows enterprise users to send encrypted messages as an HTML attachment via email.

Related Resource

How to trust your inbox with Cloudflare Area 1

Why your current email security may not be enough

Webinar screen with title and globe graphicWatch now

Microsoft says the function is useful for sending sensitive data such as medical records, but WithSecure contends the service uses an insecure method of operation for encryption, allowing threat actors to infer the structure of encrypted messages.

OME messages are generated using Electronic Codebook (ECB), in which the text of the message is broken down into cipher blocks that are individually encrypted using a key stored and managed by Microsoft, through Azure Rights Management (Azure RMS). Each character within the plaintext is directly substituted for a cipher text character, according to the key.

However, through this method identical blocks of plaintext will return identical blocks of encrypted text, allowing patterns within the content to be identified. This is particularly the case with emails, which have structures that are more easily predicted than other types of messages typically sent through end-to-end encrypted (E2EE) apps, such as Signal or WhatsApp.

Emails within organisations, which are likely to contain repeating headers or footers, might be especially vulnerable to this kind of malicious decryption, as patterns reveal the encrypted substitutions for plaintext. If a message from an organisation always signed off in the same way, an attacker with access to a database of such messages would be able to partially decrypt each one.

WithSecure has advised organisations to consider alternative channels of communication for sensitive company information.

Recipients are required to access messages through a one-time passcode, valid Microsoft account, or work account in order to decrypt messages, and end-users can revoke access to sent emails at any time.

However, OME imposes no usage limitations on the attachment itself. It's possible, therefore, that threat actors could intercept the attachments, print them, or be forwarded them by the original recipient with little remediation possible on the sender’s end.

WithSecure reported the issue, which it classifies as a vulnerability, to Microsoft on 11 January. However, after several repeated attempts to contact the tech giant, and a notice that it would go public with the disclosure, WithSecure claims it received the following message from Microsoft on 21 September:

"The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report."

Researchers cite Microsoft compliance documentation to posit that ECB is used to maintain backwards compatibility with legacy versions of Office, which only support Advanced Encryption Standard (AES) 128-bit ECB.

In addition to OME, enterprise users can use two other encryption services within Office 365. These are Information Rights Management (IRM), and S/MIME,  which both offer greater control over the access rights of sent messages. Messages sent through these alternatives are also encrypted using different methods of operation, but come with their own accessibility benefits and drawbacks.

“The rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary," a Microsoft spokesperson told IT Pro.

"To help prevent abuse we recommend customers follow best security practices, including keeping systems up to date, enabling multi-factor authentication, and using a real time anti-malware product.”

Microsoft also stated that its use of ECB encryption supports legacy applications, and that it is working on alternative encryption protocols for future product versions.

This article has been updated to include a statement from Microsoft.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022
Microsoft issues emergency fixes for wide-reaching Kerberos issues
Software

Microsoft issues emergency fixes for wide-reaching Kerberos issues

21 Nov 2022
Microsoft targets optimised supply chain investments with new platform launch
Business operations

Microsoft targets optimised supply chain investments with new platform launch

16 Nov 2022
Microsoft says “it’s just too difficult” to effectively disrupt ransomware
Security

Microsoft says “it’s just too difficult” to effectively disrupt ransomware

4 Nov 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022