Microsoft 365 Message Encryption Can Leak Sensitive Info

[upnorth]

Content source

https://www.darkreading.com/application-security/microsoft-365-message-encryption-can-leak-sensitive-info

Researchers have discovered what they call a vulnerability in Microsoft 365, tied to the use of a broken or risky cryptographic algorithm. It could be exploited to infer some or all the content of encrypted email messages, they warned — but Microsoft has declined to address the issue. Third-party researchers tell Dark Reading that the real-world risk from the issue depends on an organization's profile.

Microsoft 365 (formerly Office 365) offers a method of sending encrypted messages (Office 365 Message Encryption, or OME) using Electronic Codebook (ECB), a mode of operation known to expose certain structural information about messages. WithSecure principal security consultant Harry Sintonen wrote in an Oct. 14 posting that if an attacker had access to enough emails using OME, it's possible to access leaked information by analyzing the frequency of repeating patterns in individual messages and then matching those patterns with those in other encrypted emails and files.

"This could impact anyone using OME, if the attachment in question has the properties that make it decipherable in this way," he tells Dark Reading. "Of course, for the extraction to be possible, the adversary first needs to get access to the actual encrypted email message." Sintonen explains that even if the files did not have a larger structure that could directly be revealed, there is still possibility of fingerprinting files. "If a file has some repeating blocks, you could construct a fingerprint from the relation of these repeating blocks," he says. "You can then scan the encrypted email messages for these fingerprints. If found, you know that this email message included the specific file."

In January 2022, Sintonen shared his research findings with Microsoft. Microsoft acknowledged the problem and compensated Sintonen as part of its vulnerability rewards program but decided against fixing it. "The report was not considered meeting the bar for security servicing, nor is it considered a breach," the computing giant responded. "No code change was made and so no CVE was issued for this report."

Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber-hygiene, says he thinks Microsoft choosing not to fix it either means that there is a new message encryption capability soon to be released, or that the "fix" would need to be a complete rewrite of this capability.

Microsoft 365 Message Encryption Can Leak Sensitive Info

The default email encryption used in Microsoft Office's cloud version is leaky, which the company acknowledged but said it wouldn't fix.

www.darkreading.com

 

[upnorth]

In an email to The Register, a Microsoft spokesperson said, "The rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary. To help prevent abuse we recommend customers follow best security practices, including keeping systems up to date, enabling multi-factor authentication, and using a real time anti-malware product."

WithSecure says that organizations using Office 365 Message Encryption may wish to consider the legal ramifications of this vulnerability, particularly with regard to EU and California privacy rules. "Since Microsoft has no plans to fix this vulnerability the only mitigation is to avoid using Microsoft Office 365 Message Encryption," the lab concludes.

Microsoft Office 365 uses insecure block ciphers

Redmond says OME isn't supposed to be used for security, just for something else

www.theregister.com