Office 365 Encryption Flaw Exposes Email Content, A Little-Known Big Security Risk
By: Jim Stickley and Tina Davis
November 20, 2022
Microsoft’s Office 365 has a new bug you’ll want to squash to keep your sensitive information sent via email, secure. The bug in question belongs to Microsoft Office 365 Message Encryption (OME), that encrypts email messages and attachments so they can’t be read by those with bad intent. Secure messaging is the idea behind using OME, but with this flaw, it’s not the reality using OME.
WithSecure discovered and reported this OME security flaw to Microsoft, expecting a response from the tech giant. Microsoft left the multiple inquiries unanswered until recently, saying “The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made, so no CVE was issued for this report.”
As it is, if you’re waiting for Microsoft to issue a patch for the fix, according to them, it’s not going to happen. But do know that sending sensitive information through encrypted email using the flawed OME doesn’t guarantee it is safe from being intercepted by cybercriminals who can decrypt and decipher it.
How It’s Done
WithSecure took it upon themselves to issue an advisory warning to organizations about the flaw, in particular, that Microsoft isn’t willing to provide a patch. Part of their advisory included “Since the encrypted messages are sent as regular email attachments, the messages sent may be stored in various email systems and may have been intercepted by any party between the sender and the recipient…”
The advisory further warns exploiting the OME flaw allows attackers to work on decrypting messages offline. This can lead to messages already sent and saved being decrypted as well. WithSecure also provided their own advice to OME users, suggesting “End user or administrator of the email system has no option to enforce more secure mode of operation. Since Microsoft has no plans to fix this vulnerability the only mitigation is to avoid using Microsoft Office 365 Message Encryption.”
What You Can Do
Sharing sensitive information like PII (personally identifiable information) via email is never a good idea. Email should not be considered secure, whether for business or personal reasons. Any number of things can go wrong even if you don’t use this encryption. Email passwords can be easily stolen and abused, including being sold online to hackers. Hijacked content can be used for blackmail, identity theft and all types of fraudulent crimes. The smart money is on keeping your PII to yourself. If you need to share something sensitive with a friend or co-worker, face-to-face is the simplest, safest way to do it. A phone call is next. Remember, keeping it simple helps keep it safer.