October 18, 2022

Security researchers at WithSecure have discovered a vulnerability in Microsoft 365 that involves the platform’s use of a broken cryptographic algorithm.

The bug was found in Office 365 Message Encryption (OME), a security mechanism used to send and receive encrypted email messages between inside and outside an organization.

The problem with the broken cryptographic algorithm could allow third parties to gain access to the encrypted emails and perform several sections, including deciphering the messages, and effectively break confidentiality laws.

“An attacker with a large database of messages may infer their content (or parts of it) by analyzing relative locations of repeated sections of the intercepted messages. Since Microsoft has no plans to fix this vulnerability, the only mitigation is to avoid using Microsoft Office 365 Message Encryption,” WithSecure said.

The bug that WithSecure has uncovered does not specifically refer to the decryption of a single message, but instead capitalize on analyzing a stash of encrypted stolen emails for such ports patterns and ultimately decrypts their contents.

Microsoft has already treated Message Encryption (OME) as a legacy system and urged customers to use a data governance platform called Purview to secure emails and documents via encryption and access controls.

The sources for this piece include an article in TheHackerNews.