Finnish cybersecurity firm WithSecure has issued an advisory regarding a security flaw identified in the message encryption mechanism used by Microsoft in Office 365.
According to WithSecure’s analysis, this problem occurred because Microsoft uses the Electronic Cookbook/ECB block cipher confidentiality mode, defined by the US NIST (National Institute of Science and Technology).
However, this mode is flawed, and this has already been proven. But the problem is that its replacement cannot be launched before 2023.
How Can the Vulnerability be Exploited?
WithSecure’s advisory revealed that the Microsoft 365 security flaw could be exploited for inferring message contents due to the flawed Office 365 Message Encryption (OME) security method.
This method is used for sending/receiving encrypted email messages between internal/external users without disclosing anything about their communication.
The flaw can allow access to rogue third-party, and they can decipher encrypted emails, thereby exposing sensitive communications of the users. Since ECB leaks the messages’ structural information, this causes confidentiality loss.
During its analysis, WithSecure could recover the contents of an image, which was encrypted with AES. Researchers noted that AES is not flawed because the ECB mode is the real problem.
WithSecure shared that when it notified Microsoft, the company responded that the report didn’t meet the criterion for security servicing and doesn’t classify as a breach.
“The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.”
While WithSecure has proved that there’s a risk of exploitation, it also referred to NIST’s statement, where the agency stated that the ECB mode was indeed flawed.
This comparison can disclose data repeated across messages like signature blocks or boilerplate info, and attackers can easily map the message’s structure. Therefore, it is surprising that Microsoft doesn’t consider it a real problem.
Nevertheless, users should be cautious, and organizations using OME for email encryption should avoid using it as the sole method of email confidentiality until Microsoft releases a fix or a better option is available.
More Microsoft Security News
- Hackers are using Microsoft Teams chat to spread malware
- Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
- Malicious Office documents make up 43% of all malware downloads
- 10 Crucial Security Tips to Reduce Data Loss in Microsoft Office 365
- Microsoft Office Most Exploited Software in Malware Attacks – Report