Security News > 2022 > October > Serious Security: Microsoft Office 365 attacked over feeble encryption

We're not quite sure what to call it right now, so we referred to it in the headline by the hybrid name Microsoft Office 365.
The web-based versions of the Office tools don't have the same feature set as the full apps, so any results we might obtain are unlikely to align with how most business users of Office, ah, 365 have configured Word, Excel, Outlook and friends on their Windows laptops.
Many encryption algorithms, notably the Advanced Encryption Standard or AES, which OME uses, are what's known as block ciphers, which scramble largeish chunks of data at a time, rather than processing individual bits or bytes in sequence.
If you're using AES, the mode you probably want to choose these days is AES-GCM, which not only uses an IV to create a different encryption data stream every time, even if the key remains the same, but also calculates what's known as a Message Authentication Code, or cryptographic checksum, at the same time as scrambling or unscrambling the data.
Legacy versions of Office require AES 128 ECB, and Office docs are still protected in this manner by Office apps.
In short, if you're currently relying on OME, you may want to consider replacing it with a third-party encryption tool for sensitive messages that encrypts your data independently of the app that created it, and thus independently of the internal encryption code in the Office range.
News URL
Related news
- Fake Microsoft Office add-in tools push malware via SourceForge (source)
- Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 (source)
- April 2025 Patch Tuesday forecast: More AI security introduced by Microsoft (source)
- Google's got a hot cloud infosec startup, a new unified platform — and its eye on Microsoft's $20B+ security biz (source)
- Microsoft: Licensing issue blocks Microsoft 365 Family for some users (source)
- Microsoft releases emergency update to fix Office 2016 crashes (source)
- Microsoft: Windows 'inetpub' folder created by security fix, don’t delete (source)
- Tycoon2FA phishing kit targets Microsoft 365 with new tricks (source)
- ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK? (source)
- Microsoft: Office 2016 and Office 2019 reach end of support in October (source)