A vulnerability exists in the way Microsoft handles secure e-mail (opens in a new tab) posted via Microsoft Office 365, says a security researcher.
As reported Weekly computerwith a sufficiently large sample size, an agent could apparently exploit the vulnerability to decrypt the content of encrypted email messages.
However, Microsoft has downplayed the importance of the findings by saying it’s not really a flaw. For now, the company has no intention of implementing any remedial measures.
More e-mails, easier discovery
The vulnerability was discovered by security researcher Harry Sintonen of WithSecure (formerly F-Secure) in Office 365 Message Encryption (OME).
Organizations typically use OME when they want to send encrypted email, both internally and externally. But considering the fact that OME encrypts each cipher block individually and repeating message blocks corresponding to the same ciphertext blocks each time, an attacker could theoretically reveal details about the structure of the message.
This, Sintonen says, means that a potential cybercriminal with a large enough OME email sample can infer the content of the message. All they have to do is analyze the location and frequency of the repeating patterns in each message and match them with the other messages.
“More emails makes the process easier and more accurate, so it’s something attackers can do after gaining email archives stolen during a data breach, or by hacking someone’s email account, mail server, or obtaining access to backups, ”Sintonen said.
If a cybercriminal obtains e-mail archives stolen during a data breach, it means that he will be able to analyze patterns offline, which will further simplify the work. This would also make Bring Your Own Encryption / Key (BYOE / K) practices obsolete.
Unfortunately, if a cybercriminal gets into these e-mails, not many companies can really do.
Apparently, the researcher reported the problem to Microsoft earlier this year, but to no avail. In a statement released to WithSecure, Microsoft said the report “is not considered to meet security handling requirements, nor is it considered a breach. There has been no code change so no CVE has been issued for this report. “
By Weekly computer (opens in a new tab)