According to a security researcher, Microsoft handling of secure emails(opens in new tab) sent via Microsoft Office 365 has a weakness.
According to ComputerWeekly, a threat actor may reportedly use the flaw to decrypt the contents of encrypted emails with a sizable sample.
Microsoft, on the other hand, has downplayed the significance of the results by claiming that there isn’t truly a defect. The company does not currently have any plans to do a remedy.
greater email volume, simpler finding
Security researcher Harry Sintonen of With Secure (formerly F-Secure) found the issue in Office 365 Message Encryption (OME).
When sending encrypted emails both internally and externally, businesses typically employ OME. A threat actor, however, might possibly divulge information about the communication’s structure given that OME encrypts each cypher block separately and with repeating blocks of the message corresponding to the same cypher text blocks every time.
Sintonen goes on to say that this means a possible threat actor with access to a sufficient sample of OME emails might infer the messages’ contents. All they would have to do is compare the repeated patterns in each message to those in other communications by looking at their location and frequency.
According to Sintonen, “More emails make this procedure easier and more accurate, thus it’s something attackers may undertake after getting their hands on email archives obtained through a data breach, or by hacking into someone’s email account, email server, or acquiring access to backups.”
A threat actor would be able to more easily evaluate the trends if they were given access to the email archives that had been taken via a data breach. Bring Your Own Encryption/Key (BYOE/K) procedures would be rendered useless as a result.
Unfortunately, there isn’t much that organisations can do if a threat actor obtains access to these emails.
The researcher apparently submitted the issue to Microsoft at the beginning of this year, but to no avail. Microsoft confirmed in a statement issued to With Secure that the report was “not neither a breach nor considered to fulfil the bar for security servicing. No CVE was issued for this report since no code changes were done.
