There is a flaw in the way Microsoft handles secure emails (opens in new tab) sent through Microsoft Office 365, a security researcher has claimed.
As reported by ComputerWeekly, with a sufficiently large sample, a threat actor could apparently abuse the loophole to decipher the contents of encrypted emails.
However, Microsoft has played down the importance of the findings, saying it’s not really a flaw. For the time being, the company has no intention of putting in place a remediation.
More emails, easier discovery
The flaw was discovered by security researcher Harry Sintonen of WithSecure (formerly F-Secure) in Office 365 Message Encryption (OME).
Organizations usually use OME when looking to send encrypted emails, both internally and externally. But given the fact that OME encrypts each cipher block individually, and with repeating blocks of the message corresponding to the same cipher text blocks every time, a threat actor can theoretically reveal details about the message’s structure.
This, Sintonen further claims, means that a potential threat actor with big enough a sample of OME emails could deduce the contents of the messages. All they’d need to do is analyze the location and frequency of repeating patterns in each message, and match them to other messages.
“More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on email archives stolen during a data breach, or by breaking into someone’s email account, email server or gaining access to backups,” Sintonen said.
If a threat actor obtains email archives stolen during a data breach, that means they’d be able to analyze the patterns offline, further simplifying the work. That would also render Bring Your Own Encryption/Key (BYOE/K) practices obsolete, too.
Unfortunately, if a threat actor gets their hands on these emails, there’s really not much businesses can do.
Apparently, the researcher reported the problem to Microsoft early this year, to no avail. In a statement provided to WithSecure, Microsoft said the report was “not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report”.
Via ComputerWeekly (opens in new tab)