WithSecure researcher Harry Sintonen has released an advisory on issues with Microsoft Office 365 Message Encryption (OME). OME is used to send encrypted emails. It uses the Electronic Codebook implementation, which can leak certain structural information about emails.
Issues with ECB are not unknown. In its Announcement of Proposal to Revise Special Publication 800-38A, NIST wrote, “The ECB mode encrypts plaintext blocks independently, without randomization; therefore, the inspection of any two ciphertext blocks reveals whether or not the corresponding plaintext blocks are equal… the use of ECB to encrypt confidential information constitutes a severe security vulnerability.”
Sintonen comments, “Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents. More emails make this process easier and more accurate.”
The problem is not one of decryption, and the cleartext content of the message is not directly revealed. Nevertheless, some content can be revealed.
Since repeating blocks of the cleartext message always map to the same ciphertext blocks, an attacker with a database of stolen emails can analyze them offline for these patterns, and be able to infer parts of the cleartext of the encrypted emails.
Image extracted from O365 message
In this sense, the problem is similar to the ‘harvest now, decrypt later’ threat of quantum decryption. Adversaries could steal large quantities of emails knowing that the more they have, the greater number of repeated patterns will be discovered in analysis, and the more accurate their cleartext inferences will become. For example, autocratic states could use this methodology to infer the identity of political activists, and locate other members of activist groups.
The attacker would look for a ciphertext block that appears to be of potential interest, and then use that as a fingerprint to highlight other emails containing the same fingerprint. This search across all the available emails would be automated.
AI is also a potential aid. The AI could detect potentially, but not exactly, comparable ciphertext blocks. “AI could detect similarities in files that aren’t one of the ‘fingerprinted’ files,” Sintonen told SecurityWeek. This could increase the number of inferences that could be concluded. “You would certainly be able to leverage AI in the analysis,” he added.
Sintonen reported his findings to Microsoft in January 2022. He was awarded $5k for his discovery, and consequently expected to hear back from Microsoft that a patch was planned. Nothing happened. Eventually, he was told, “The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.”
It is not clear why Microsoft has taken this stance. It may be because the company – like all other companies – must plan to move towards NIST’s quantum safe encryption methods over the next few years. The difficulty in ensuring that all apps that use OME must be simultaneously patched may also play into the decision. Or its message may be taken at face value: it is not considered serious.
But the potential should not be ignored. “Any organization with personnel that used OME to encrypt emails are basically stuck with this problem. For some, such as those that have confidentiality requirements put into contracts or local regulations, this could create some issues. And then of course, there’s questions about the impact this data could have in the event it’s actually stolen, which makes it a significant concern for organizations,” said Sintonen.
The only mitigation for this flaw is to stop using OME to encrypt sensitive files.