Security News > 2022 > October > Serious Security: Microsoft Office 365 attacked over feeble encryption

We're not quite sure what to call it right now, so we referred to it in the headline by the hybrid name Microsoft Office 365.

The web-based versions of the Office tools don't have the same feature set as the full apps, so any results we might obtain are unlikely to align with how most business users of Office, ah, 365 have configured Word, Excel, Outlook and friends on their Windows laptops.

Many encryption algorithms, notably the Advanced Encryption Standard or AES, which OME uses, are what's known as block ciphers, which scramble largeish chunks of data at a time, rather than processing individual bits or bytes in sequence.

If you're using AES, the mode you probably want to choose these days is AES-GCM, which not only uses an IV to create a different encryption data stream every time, even if the key remains the same, but also calculates what's known as a Message Authentication Code, or cryptographic checksum, at the same time as scrambling or unscrambling the data.

Legacy versions of Office require AES 128 ECB, and Office docs are still protected in this manner by Office apps.

In short, if you're currently relying on OME, you may want to consider replacing it with a third-party encryption tool for sensitive messages that encrypts your data independently of the app that created it, and thus independently of the internal encryption code in the Office range.

News URL

https://nakedsecurity.sophos.com/2022/10/14/serious-security-microsoft-office-365-attacked-over-feeble-encryption/