Skip to Content

Microsoft Office 365 Message Encryption flaw

Updated on 2022-10-17: Microsoft365 encryption flaw

WithSecure researchers said they found a vulnerability in the Microsoft Office 365 Message Encryption (OME) system that can leak information about encrypted emails sent through the service. The issue has been linked to Microsoft’s use of the insecure Electronic Codebook (ECB) mode of operation. WithSecure said that after notifying Microsoft, the company has declined to patch the issue.

“Unfortunately the OME messages are encrypted in insecure Electronic Codebook (ECB) mode of operation. […] This mode is generally insecure and can leak information about the structure of the messages sent, which can lead to partial or full message disclosure.”

Overview: Office 365 message encryption flaw exposes scrambled text

Wild findings from security researchers at WithSecure, which found a flaw in Office 365’s Message Encryption (OME), which utilizes Electronic Codebook (or ECB, keeping up?). But this mode is “generally insecure” as it can “leak information about the structure of the messages sent, which can lead to partial or full message disclosure.” The researchers explain the goods, but in short, while the actual cleartext of an encrypted email message isn’t revealed directly, information about its structure is, which means you can see “outlines” of letters. Read more: Microsoft Office 365 Message Encryption Insecure Mode of Operation

Case in point, this RAW image that’s been AES encrypted in ECB mode, per the researchers:

Office 365 message encryption flaw exposes scrambled text

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on pupuweb.com