Security News > 2022 > October > Researchers Say Microsoft Office 365 Uses Broken Email Encryption to Secure Messages
New research has disclosed what's being called a security vulnerability in Microsoft 365 that could be exploited to infer message contents due to the use of a broken cryptographic algorithm.
Office 365 Message Encryption is a security mechanism used to send and receive encrypted email messages between users inside and outside an organization without revealing anything about the communications themselves.
A consequence of the newly disclosed issue is that rogue third-parties gaining access to the encrypted email messages may be able to decipher the messages, effectively breaking confidentiality protections.
Electronic Codebook is one of the simplest modes of encryption wherein each message block is encoded separately by a key, meaning identical plaintext blocks will be transposed into identical ciphertext blocks, making it unsuitable as a cryptographic protocol.
"An attacker with a large database of messages may infer their content by analyzing relative locations of repeated sections of the intercepted messages," the company said.
"Since Microsoft has no plans to fix this vulnerability the only mitigation is to avoid using Microsoft Office 365 Message Encryption," WithSecure said.
News URL
https://thehackernews.com/2022/10/researchers-claim-microsoft-office-365.html
Related news
- Microsoft 365 Admin portal abused to send sextortion emails (source)
- Microsoft 365 outage takes down Office web apps, admin center (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Microsoft now testing hotpatch on Windows 11 24H2 and Windows 365 (source)
- Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint (source)
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- New Rockstar 2FA phishing service targets Microsoft 365 accounts (source)
- Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses (source)