Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Flaw in Microsoft OME Could Lead to Leakage of Encrypted Data

WithSecure researcher Harry Sintonen has released an advisory on issues with Microsoft Office 365 Message Encryption (OME). OME is used to send encrypted emails.

WithSecure researcher Harry Sintonen has released an advisory on issues with Microsoft Office 365 Message Encryption (OME). OME is used to send encrypted emails. It uses the Electronic Codebook implementation, which can leak certain structural information about emails.

Issues with ECB are not unknown. In its Announcement of Proposal to Revise Special Publication 800-38A, NIST wrote, “The ECB mode encrypts plaintext blocks independently, without randomization; therefore, the inspection of any two ciphertext blocks reveals whether or not the corresponding plaintext blocks are equal… the use of ECB to encrypt confidential information constitutes a severe security vulnerability.”

Sintonen comments, “Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents. More emails make this process easier and more accurate.”

The problem is not one of decryption, and the cleartext content of the message is not directly revealed. Nevertheless, some content can be revealed.

Since repeating blocks of the cleartext message always map to the same ciphertext blocks, an attacker with a database of stolen emails can analyze them offline for these patterns, and be able to infer parts of the cleartext of the encrypted emails.

Image extracted from the Office 365 Message Encryption protected email 

Image extracted from O365 message

In this sense, the problem is similar to the ‘harvest now, decrypt later’ threat of quantum decryption. Adversaries could steal large quantities of emails knowing that the more they have, the greater number of repeated patterns will be discovered in analysis, and the more accurate their cleartext inferences will become. For example, autocratic states could use this methodology to infer the identity of political activists, and locate other members of activist groups.

The attacker would look for a ciphertext block that appears to be of potential interest, and then use that as a fingerprint to highlight other emails containing the same fingerprint. This search across all the available emails would be automated. 

AI is also a potential aid. The AI could detect potentially, but not exactly, comparable ciphertext blocks. “AI could detect similarities in files that aren’t one of the ‘fingerprinted’ files,” Sintonen told SecurityWeek. This could increase the number of inferences that could be concluded. “You would certainly be able to leverage AI in the analysis,” he added.

Sintonen reported his findings to Microsoft in January 2022. He was awarded $5k for his discovery, and consequently expected to hear back from Microsoft that a patch was planned. Nothing happened. Eventually, he was told, “The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.”

It is not clear why Microsoft has taken this stance. It may be because the company – like all other companies – must plan to move towards NIST’s quantum safe encryption methods over the next few years. The difficulty in ensuring that all apps that use OME must be simultaneously patched may also play into the decision. Or its message may be taken at face value: it is not considered serious.

But the potential should not be ignored. “Any organization with personnel that used OME to encrypt emails are basically stuck with this problem. For some, such as those that have confidentiality requirements put into contracts or local regulations, this could create some issues. And then of course, there’s questions about the impact this data could have in the event it’s actually stolen, which makes it a significant concern for organizations,” said Sintonen. 

The only mitigation for this flaw is to stop using OME to encrypt sensitive files.

Related: Investors Bet Big on Attempts to Solve Encryption ‘Holy Grail’

Related: Is OTP a Viable Alternative to NIST’s Post-Quantum Algorithms?

Related: Zoom Announces Better Encryption, Other Security Improvements

Related: New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.