Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
Few solutions have the enterprise adoption that Office 365 does. According to Statista, over 879,851 companies in the United States use Office 365 products to collaborate and remain productive. However, new research suggests that the platform could be leaving encrypted emails vulnerable to decryption by hackers.
A researcher from cloud and endpoint protection provider WithSecure has discovered an unpatchable flaw in Microsoft Office 365 Message Encryption (OME). The flaw enables a hacker to infer the contents of encrypted messages.
OME uses the electronic codebook (ECB) block cipher, which leaks structural information about the message. This means if an attacker obtains many emails they can infer the contents of the messages by analyzing the location and frequency of patterns in the messages and matching these to other emails.
For enterprises, this highlights that just because your emails are encrypted, doesn’t mean they’re safe from threat actors. If someone steals your email archives or backups, and accesses your email server, they can use this technique to sidestep the encryption.
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
How easy is it for attackers to decrypt Office 365 emails?
The discovery comes shortly after researchers discovered hackers were chaining two new zero-day Exchange exploits to target Microsoft Exchange servers.
WithSecure originally shared its discovery of the Office 365 vulnerability with Microsoft in January 2022. Microsoft acknowledged it and paid the researcher through its vulnerability reward program, but hasn’t issued a fix.
It’s important to note that Microsoft isn’t the only provider to receive criticism for using ECB. Just a couple of years ago, Zoom received heavy criticism for choosing AES-128 ECB to encrypt calls and exposing private videos to unauthorized individuals.
While this Office 365 vulnerability doesn’t directly decipher message content, if an attacker can cross-reference enough email patterns, protected information is at risk of disclosure through inference.
A “malicious party who gains access to the encrypted emails can extract some information from the supposedly encrypted emails. Depending on the characteristics of the specific content on the email, the revelation could be (nearly) complete or partial,” said Harry Sintonen, principal security consultant at WithSecure.
The greater the number of encrypted emails an attacker manages to harvest, the easier it is for them to compare patterns and decipher the message content. In terms of the level of risk posed by this vulnerability, Sintonen noted that particularly high-risk users would be “ones who use OME to encrypt highly sensitive emails and attachments, and for whom it is important to avoid revealing sources (or parties of communication in general). A good example would be activists or journalists,” he said.
For example, if a journalist sends a highly sensitive document to a contact, a state-sponsored threat actor could create a fingerprint for it, scan other encrypted emails, and identify to whom the target has sent the document.
Assume the worst
For this reason, Sintonen recommends that enterprises using OME investigate the level of threat. That involves not only identifying what types of materials are shared via email, but anticipating which information or files could be exposed, and mapping the impact.
Ultimately, organizations will have to decide for themselves whether Office 365’s built-in encryption offers an acceptable level of risk for their collaborative needs or whether they need to find a secure replacement for encrypted email delivery.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.