Researchers have discovered what they call a vulnerability in Microsoft 365, tied to the use of a broken or risky cryptographic algorithm. It could be exploited to infer some or all the content of encrypted email messages, they warned — but Microsoft has declined to address the issue.

Third-party researchers tell Dark Reading that the real-world risk from the issue depends on an organization's profile. 

A Flawed Crypto Approach

Microsoft 365 (formerly Office 365) offers a method of sending encrypted messages (Office 365 Message Encryption, or OME) using Electronic Codebook (ECB), a mode of operation known to expose certain structural information about messages.

WithSecure principal security consultant Harry Sintonen wrote in an Oct. 14 posting that if an attacker had access to enough emails using OME, it's possible to access leaked information by analyzing the frequency of repeating patterns in individual messages and then matching those patterns with those in other encrypted emails and files.

"This could impact anyone using OME, if the attachment in question has the properties that make it decipherable in this way," he tells Dark Reading. "Of course, for the extraction to be possible, the adversary first needs to get access to the actual encrypted email message."

Sintonen explains that even if the files did not have a larger structure that could directly be revealed, there is still possibility of fingerprinting files.

"If a file has some repeating blocks, you could construct a fingerprint from the relation of these repeating blocks," he says. "You can then scan the encrypted email messages for these fingerprints. If found, you know that this email message included the specific file."

He adds that it's also possible to leverage artificial intelligence (AI) to find similar fingerprints to find content that is related, perhaps part of a set of similar files.

Microsoft: No Fix Forthcoming

In January 2022, Sintonen shared his research findings with Microsoft. Microsoft acknowledged the problem and compensated Sintonen as part of its vulnerability rewards program but decided against fixing it.

"The report was not considered meeting the bar for security servicing, nor is it considered a breach," the computing giant responded. "No code change was made and so no CVE was issued for this report."

Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber-hygiene, says he thinks Microsoft choosing not to fix it either means that there is a new message encryption capability soon to be released, or that the "fix" would need to be a complete rewrite of this capability.

"It could also be that usage of this feature [is] of low enough or limited enough that Microsoft would decline to fix it," he adds. "Even if Microsoft declines to fix this, it should at least remove or restrict the use of message encryption within Office 365 until a better solution is available to users."

And indeed, companies can mitigate the problem by not using the OME feature — but even that does not eliminate the risk entirely.

"If they have been using OME encryption and this issue is determined to be a problem, they have no other recourse than ceasing to use the problematic service — OME — and replace it with another, secure solution," Sintonen says.

This, however, doesn’t remedy the fact that large amounts of poorly encrypted email messages may linger in various parts of the Internet and could be analyzed by actors who gain access to them.

Senders, Recipients at Risk?

Broomhead notes that for many years the fear has been that encrypted data that was previously exfiltrated may someday be decrypted and exploited.

"For threat actors who have harvested large amounts of encrypted Microsoft Office 365 email messages, that day may be today," he says, adding that he thinks it's clearly "a bug of high severity."

"Both senders and recipients are at risk — especially with people outside the organization, the desire to use encryption may have been to protect trade or other organizational secrets," Broomhead says.

That said, the need to have a large number of encrypted emails to use this vulnerability narrows the victimology — by definition it would be larger organizations who felt the need to encrypt large numbers of email messages. And, highly sensitive information usually already has additional layers of data protection, Mike Parkin, senior technical engineer at Vulcan Cyber, points out.

"Those who require truly secure email have other options they can use," Parkin says. "For example, using GPG encryption and sending the encrypted message as an attachment."

He says that as a result, most business users won't be affected by the level of data leakage here, unless they are in the habit of sending highly sensitive, and time sensitive, information through Microsoft 365.

"It's sufficient to keep most expected threats at bay but wouldn't be adequate versus a well-resourced state or state-sponsored threat actor," he says. "High-value communications require highly secure cryptographic algorithms and protocols. In practice, the encryption[s] available in Office 365 are enough for most users."

On the flip side, Parkin notes that people can come to rely on basic encryption keeping their information safe, and anything that gives a potential threat actor insight into that secure communication is problematic.

"Ideally, encrypted traffic shouldn't reveal anything about the contents of the message beyond the sender and receiver information required to get it point to point," he says.