According to security researchers at WithSecure, there is a flaw in Microsoft Office 365 that could allow third parties to see parts or all of encrypted messages sent on the productivity suite. The research team says the issue stems from a weakness in the block mode of operation.
Needless to say, this is a potentially significant problem because Microsoft Office 365 Message Encryption is used by businesses to send sensitive and/or private information. Like all encryption, it provides confidentiality for sending messages safely from point to point.
In Office 365, the component that controls data encryption – Electronic Code Book (ECB) – has a problem. ECB is the mode that infers plaintext message. However, areas of the plaintext data that repeat have the same encryption if the same key is used.
This is problematic because it creates a pattern that could allow threat actors to decipher the structural information of messages. That means they cannot directly see the message but if skilled enough they can look for patterns to make the messages readable:
“More emails make this process easier and more accurate, so it's something attackers can perform after getting their hands on email archives stolen during a data breach, or by breaking into someone's email account, email server or gaining access to backups,” says Harry Sintonen of WithSecure.
Issues
The main problem with ECB is that repetitive areas in the plaintext data have the same encrypted result when the same key is used, thus creating a pattern.
We have previously seen what can happen when ECB mode is broken when Adobe suffered a huge data breach in 2013. During that episode, tens of millions of passwords were taken and leaked online.
A Microsoft spokesperson told BleepingComputer that “rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary.”
“To help prevent abuse we recommend customers follow best security practices, including keeping systems up to date, enabling multi-factor authentication, and using a real time anti-malware product”.
Tip of the day: Need to reduce picture size of several images, but don't have the time to edit every one? Microsoft's PowerToys image resizer can batch-resize your photos with just two clicks.