Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Researchers: Office 365 Encryption Flaw Compromise Message Confidentiality

Finnish cybersecurity firm WithSecure has issued an advisory regarding a security flaw identified in the message encryption mechanism used by Microsoft in Office 365.

According to WithSecure’s analysis, this problem occurred because Microsoft uses the Electronic Cookbook/ECB block cipher confidentiality mode, defined by the US NIST (National Institute of Science and Technology).

However, this mode is flawed, and this has already been proven. But the problem is that its replacement cannot be launched before 2023.

How Can the Vulnerability be Exploited?

WithSecure’s advisory revealed that the Microsoft 365 security flaw could be exploited for inferring message contents due to the flawed Office 365 Message Encryption (OME) security method.

This method is used for sending/receiving encrypted email messages between internal/external users without disclosing anything about their communication.

The flaw can allow access to rogue third-party, and they can decipher encrypted emails, thereby exposing sensitive communications of the users. Since ECB leaks the messages’ structural information, this causes confidentiality loss.

During its analysis, WithSecure could recover the contents of an image, which was encrypted with AES. Researchers noted that AES is not flawed because the ECB mode is the real problem.

Office 365 Encryption Flaw Compromise Message Confidentiality
Two images that the researchers managed to extract from an Office 365 Message Encryption protected email

Microsoft’s Response

WithSecure shared that when it notified Microsoft, the company responded that the report didn’t meet the criterion for security servicing and doesn’t classify as a breach.

“The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.”


While WithSecure has proved that there’s a risk of exploitation, it also referred to NIST’s statement, where the agency stated that the ECB mode was indeed flawed.

This comparison can disclose data repeated across messages like signature blocks or boilerplate info, and attackers can easily map the message’s structure. Therefore, it is surprising that Microsoft doesn’t consider it a real problem.

Nevertheless, users should be cautious, and organizations using OME for email encryption should avoid using it as the sole method of email confidentiality until Microsoft releases a fix or a better option is available.

More Microsoft Security News

  1. Hackers are using Microsoft Teams chat to spread malware
  2. Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
  3. Malicious Office documents make up 43% of all malware downloads
  4. 10 Crucial Security Tips to Reduce Data Loss in Microsoft Office 365
  5. Microsoft Office Most Exploited Software in Malware Attacks – Report

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…