Updated on 2022-10-17: Microsoft365 encryption flaw
WithSecure researchers said they found a vulnerability in the Microsoft Office 365 Message Encryption (OME) system that can leak information about encrypted emails sent through the service. The issue has been linked to Microsoft’s use of the insecure Electronic Codebook (ECB) mode of operation. WithSecure said that after notifying Microsoft, the company has declined to patch the issue.
“Unfortunately the OME messages are encrypted in insecure Electronic Codebook (ECB) mode of operation. […] This mode is generally insecure and can leak information about the structure of the messages sent, which can lead to partial or full message disclosure.”
Overview: Office 365 message encryption flaw exposes scrambled text
Wild findings from security researchers at WithSecure, which found a flaw in Office 365’s Message Encryption (OME), which utilizes Electronic Codebook (or ECB, keeping up?). But this mode is “generally insecure” as it can “leak information about the structure of the messages sent, which can lead to partial or full message disclosure.” The researchers explain the goods, but in short, while the actual cleartext of an encrypted email message isn’t revealed directly, information about its structure is, which means you can see “outlines” of letters. Read more: Microsoft Office 365 Message Encryption Insecure Mode of Operation
Case in point, this RAW image that’s been AES encrypted in ECB mode, per the researchers: