Security News > 2022 > October > Serious Security: Microsoft Office 365 attacked over feeble encryption

We're not quite sure what to call it right now, so we referred to it in the headline by the hybrid name Microsoft Office 365.
The web-based versions of the Office tools don't have the same feature set as the full apps, so any results we might obtain are unlikely to align with how most business users of Office, ah, 365 have configured Word, Excel, Outlook and friends on their Windows laptops.
Many encryption algorithms, notably the Advanced Encryption Standard or AES, which OME uses, are what's known as block ciphers, which scramble largeish chunks of data at a time, rather than processing individual bits or bytes in sequence.
If you're using AES, the mode you probably want to choose these days is AES-GCM, which not only uses an IV to create a different encryption data stream every time, even if the key remains the same, but also calculates what's known as a Message Authentication Code, or cryptographic checksum, at the same time as scrambling or unscrambling the data.
Legacy versions of Office require AES 128 ECB, and Office docs are still protected in this manner by Office apps.
In short, if you're currently relying on OME, you may want to consider replacing it with a third-party encryption tool for sensitive messages that encrypts your data independently of the app that created it, and thus independently of the internal encryption code in the Office range.
News URL
Related news
- Fake Microsoft Office add-in tools push malware via SourceForge (source)
- Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 (source)
- URGENT: Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- AI agents swarm Microsoft Security Copilot (source)
- After Detecting 30B Phishing Attempts, Microsoft Adds Even More AI to Its Security Copilot (source)
- Microsoft: New Windows scheduled task will launch Office apps faster (source)
- Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection (source)