CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Flaw in Microsoft OME Could Lead to Leakage of Encrypted Data

WithSecure researcher Harry Sintonen has released an advisory on issues with Microsoft Office 365 Message Encryption (OME). OME is used to send encrypted emails.

WithSecure researcher Harry Sintonen has released an advisory on issues with Microsoft Office 365 Message Encryption (OME). OME is used to send encrypted emails. It uses the Electronic Codebook implementation, which can leak certain structural information about emails.

Issues with ECB are not unknown. In its Announcement of Proposal to Revise Special Publication 800-38A, NIST wrote, “The ECB mode encrypts plaintext blocks independently, without randomization; therefore, the inspection of any two ciphertext blocks reveals whether or not the corresponding plaintext blocks are equal… the use of ECB to encrypt confidential information constitutes a severe security vulnerability.”

Sintonen comments, “Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents. More emails make this process easier and more accurate.”

The problem is not one of decryption, and the cleartext content of the message is not directly revealed. Nevertheless, some content can be revealed.

Since repeating blocks of the cleartext message always map to the same ciphertext blocks, an attacker with a database of stolen emails can analyze them offline for these patterns, and be able to infer parts of the cleartext of the encrypted emails.

Image extracted from the Office 365 Message Encryption protected email 

Image extracted from O365 message

In this sense, the problem is similar to the ‘harvest now, decrypt later’ threat of quantum decryption. Adversaries could steal large quantities of emails knowing that the more they have, the greater number of repeated patterns will be discovered in analysis, and the more accurate their cleartext inferences will become. For example, autocratic states could use this methodology to infer the identity of political activists, and locate other members of activist groups.

The attacker would look for a ciphertext block that appears to be of potential interest, and then use that as a fingerprint to highlight other emails containing the same fingerprint. This search across all the available emails would be automated. 

Advertisement. Scroll to continue reading.

AI is also a potential aid. The AI could detect potentially, but not exactly, comparable ciphertext blocks. “AI could detect similarities in files that aren’t one of the ‘fingerprinted’ files,” Sintonen told SecurityWeek. This could increase the number of inferences that could be concluded. “You would certainly be able to leverage AI in the analysis,” he added.

Sintonen reported his findings to Microsoft in January 2022. He was awarded $5k for his discovery, and consequently expected to hear back from Microsoft that a patch was planned. Nothing happened. Eventually, he was told, “The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.”

It is not clear why Microsoft has taken this stance. It may be because the company – like all other companies – must plan to move towards NIST’s quantum safe encryption methods over the next few years. The difficulty in ensuring that all apps that use OME must be simultaneously patched may also play into the decision. Or its message may be taken at face value: it is not considered serious.

But the potential should not be ignored. “Any organization with personnel that used OME to encrypt emails are basically stuck with this problem. For some, such as those that have confidentiality requirements put into contracts or local regulations, this could create some issues. And then of course, there’s questions about the impact this data could have in the event it’s actually stolen, which makes it a significant concern for organizations,” said Sintonen. 

The only mitigation for this flaw is to stop using OME to encrypt sensitive files.

Related: Investors Bet Big on Attempts to Solve Encryption ‘Holy Grail’

Related: Is OTP a Viable Alternative to NIST’s Post-Quantum Algorithms?

Related: Zoom Announces Better Encryption, Other Security Improvements

Related: New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

Application security firm Black Duck has appointed Sean Forkan as Chief Revenue Officer.

Jared Bartel has been named CISO at Idaho State University.

More People On The Move

Expert Insights