The process of email encryption for Microsoft Office 365 may not be as watertight as it appears

The process of email encryption for Microsoft Office 365 may not be as watertight as it appears ...

A security researcher claims there is a flaw in Microsoft''s handling of secure emails (opens in a new tab).

ComputerWeekly reported that with a sufficiently large sample, a threat actor might avert the loophole in deciphering the contents of encrypted emails.

Microsoft has lowered the importance of the findings, stating that it is not a flaw. For the time being, the company has no intention of putting in place a remediation.

More emails, easier discovery

In the Office 365 Message Encryption, security researcher Harry Sintonen of WithSecure (formerly F-Secure) discovered the flaw.

OME is encrypting each cipher block individually, and with repeating blocks of the message corresponding to the same cipher text blocks every time, a threat actor can theoretically reveal details about the messages structure.

This, according to Sintonen, means that a potential threat actor with an adequate sample of OME emails might deduce the contents of the messages. It''s only necessary to examine the location and frequency of repeating patterns in each message, and match them to other messages.

More emails make this process easier and more precise, so it''s something attackers may perform if they have received their email archives stolen during a data breach, or by breaking into someone''s email account, email server, or obtaining access to backups, according to Sintonen.

Upon being able to analyze the patterns offline, a threat actor would be able to simplify the work. Also, Bring Your Own Encryption/Key (BYOE/K) practices would be dissected.

Sadly, if a threat actor receives their hands on these emails, there are really no things about the company.

The researcher apparently reported the issue to Microsoft early this year, to no avail. Microsoft said the report was not considered to be exceeding the requirements for security repair nor a breach. No code change was made, and no CVE was also issued for this report."

Via ComputerWeekly (opens in a new tab)