Security News > 2022 > October > Serious Security: Microsoft Office 365 attacked over feeble encryption
We're not quite sure what to call it right now, so we referred to it in the headline by the hybrid name Microsoft Office 365.
The web-based versions of the Office tools don't have the same feature set as the full apps, so any results we might obtain are unlikely to align with how most business users of Office, ah, 365 have configured Word, Excel, Outlook and friends on their Windows laptops.
Many encryption algorithms, notably the Advanced Encryption Standard or AES, which OME uses, are what's known as block ciphers, which scramble largeish chunks of data at a time, rather than processing individual bits or bytes in sequence.
If you're using AES, the mode you probably want to choose these days is AES-GCM, which not only uses an IV to create a different encryption data stream every time, even if the key remains the same, but also calculates what's known as a Message Authentication Code, or cryptographic checksum, at the same time as scrambling or unscrambling the data.
Legacy versions of Office require AES 128 ECB, and Office docs are still protected in this manner by Office apps.
In short, if you're currently relying on OME, you may want to consider replacing it with a third-party encryption tool for sensitive messages that encrypts your data independently of the app that created it, and thus independently of the internal encryption code in the Office range.
News URL
Related news
- New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT (source)
- Microsoft Office LTSC 2024 preview available for Windows, Mac (source)
- Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw (source)
- Microsoft Copilot for Security prepares for April liftoff (source)
- Microsoft’s Security Copilot Enters General Availability (source)
- Microsoft announces Office LTSC 2024 preview starting next month (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)