For MetaBeat 2022, we’ve created a library of all the featured sessions that are available to watch on-demand. You’re able to view them right here, or you can head over to our YouTube channel to watch them live.
Many enterprise-grade solutions come with a lot of effort and limited adoption. Office 365 has had high adoption rates, but new research suggests that encrypted emails could be vulnerable to decryption by hackers.
A researcher from cloud and endpoint protection provider WithSecure has discovered an unpatchable flaw in Microsoft Office 365 Message Encryption. This flaw allows a hacker to infer the contents of encrypted messages.
A guide to help innovators navigate the high-performing network, discover resources and opportunities, and define their success with the help of networks.
OME uses the Electronic CodeBook (ECB) block cipher to encrypt messages, which can mean an attacker can easily decrypt them if they have many emails.
Having an encrypted email service isn’t enough. This is a word from experience and highlights that just because your emails are encrypted, doesn’t mean they’re protected from the threat or actors. If someone manages to steal your email archives or backups, and access your email server, they can use this technique to sidestep any security controls and compromise all of your incoming data.
Isn’t it easy for attackers to decrypt Office 365 emails?
After researchers discovered hackers were using two new exploits to troll Microsoft Exchange servers, the company swiftly defended its programs with a patch.
When the Office 365 vulnerability was discovered, WithSecure initially made a report to Microsoft. After Microsoft acknowledged it and paid the researcher through their vulnerability reward program, they haven’t issued a fix yet.
Microsoft isn’t the only company to use EC-B and it’s getting plenty of heavy criticism for not using TLS. Zoom also experienced a lot of backlash due to the encrypted calls and leaked private videos.
There is a vulnerability in Office 365 that doesn’t directly decrypt message content, but it might tell an attacker what is being communicated. With enough email patterns in hand, information is at risk of disclosure through inference.
A “malicious party who gains access to the encrypted emails can extract some information from the supposedly encrypted emails,” said Harry Sintonen, principal security consultant at WithSecure.
Abusing how email servers interpret character sets can be tempting for hackers. In terms of risk, Sintonen noted that “particular high-risk users” would be “ones who use OME to encrypt highly sensitive communications, and for which it is important to avoid revealing sources (or parties of communication in general). A good example would be activists or journalists,” he said.
For example, if a journalist sends a highly sensitive document to a contact, a state-sponsored threat actor could create an information signature for it. This signature will help them to identify the target and see what other encrypted emails that person has sent.
When it comes to security, nothing is ever 100% secure. This staggering rise in data breaches tells us that we can’t afford to assume that our encrypted emails are impervious to threats.
Businesses using OME should investigate the level of threat. That’s not only about identifying what type of materials are shared via email, but also anticipating which information or files could be exposed and the impact that it could have.
The question of whether or not organizations should be using Office 365’s built-in encryption is ultimately one of whether or not they’re willing to expose themselves to potential risks. Organizations that use Office 365 typically make their own decisions on what level of risk they are comfortable with.
