Security News > 2022 > October > Serious Security: Microsoft Office 365 attacked over feeble encryption
We're not quite sure what to call it right now, so we referred to it in the headline by the hybrid name Microsoft Office 365.
The web-based versions of the Office tools don't have the same feature set as the full apps, so any results we might obtain are unlikely to align with how most business users of Office, ah, 365 have configured Word, Excel, Outlook and friends on their Windows laptops.
Many encryption algorithms, notably the Advanced Encryption Standard or AES, which OME uses, are what's known as block ciphers, which scramble largeish chunks of data at a time, rather than processing individual bits or bytes in sequence.
If you're using AES, the mode you probably want to choose these days is AES-GCM, which not only uses an IV to create a different encryption data stream every time, even if the key remains the same, but also calculates what's known as a Message Authentication Code, or cryptographic checksum, at the same time as scrambling or unscrambling the data.
Legacy versions of Office require AES 128 ECB, and Office docs are still protected in this manner by Office apps.
In short, if you're currently relying on OME, you may want to consider replacing it with a third-party encryption tool for sensitive messages that encrypts your data independently of the app that created it, and thus independently of the internal encryption code in the Office range.
News URL
Related news
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Microsoft 365 outage takes down Office web apps, admin center (source)
- Microsoft Entra "security defaults" to make MFA setup mandatory (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Microsoft 365 Admin portal abused to send sextortion emails (source)
- Microsoft Ignite 2024 Unveils Groundbreaking AI, Security, and Teams Innovations (source)
- Microsoft now testing hotpatch on Windows 11 24H2 and Windows 365 (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)
- Microsoft announces new and improved Windows 11 security features (source)
- Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity (source)