Rules Navigator

Warning issued on Office 365 mail vulnerability, but Microsoft denies problem

Office 365 packaging
Photo: Getty Images

Martin Cloake

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Use of ECB encryption shown to leave mail vulnerable in security firm’s tests.

Cybersecurity company WithSecure has published details of a vulnerability in Microsoft Office 365 Message encryption (OME), but Microsoft is so far refusing to acknowledge there is a risk that needs addressing.

WithSecure says the problem comes from Microsoft’s decision to use a block cypher confidentiality mode called Electronic Codebook (ECB). A notice issued by the US National Institute of Science and Technology (NIST) in March 2022 said “the use of ECB to encrypt confidential information constitutes a severe security vulnerability”. This is because: “The ECB mode encrypts plaintext blocks independently, without randomization; therefore, the inspection of any two ciphertext blocks reveals whether or not the corresponding plaintext blocks are equal.”

Repeated patterns

Researchers at WithSecure say this means if a bad actor gets hold of enough OME emails they could analyze repeated patterns in the messages and match them to other OME files. WithSecure was able to recover images from messages sent and provides examples of this in its notice. It does not give examples of body text being recovered, for obvious reasons.

The company reported the issue to Microsoft but the software giant responded with the following statement. “The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.”

That led WithSecure to conclude: “Because there is no fix from Microsoft or a more secure mode of operation available to email admins or users, WithSecure recommends avoiding the use of OME as a means of ensuring the confidentiality of emails.”

Proven risk

Industry commentators are mystified at Microsoft’s stance. Ian Murphy, on business and tech website Enterprise Times, says: “The question is, how did Microsoft arrive at this conclusion? On the face if it, WithSecure has proven there is a risk that can be exploited… At this point, there is no reason to think WithSecure is wrong in its assessment of the risk.”

All of which leaves companies that used OME with a major problem. Changing an email system is a complex task, but even if an organization stops using OME now, it doesn’t protect historical records. And it’s also unclear whether the vulnerability could leave organizations open to legal action under the terms of privacy regulation in various jurisdictions.

, ,

You may also like