Weak Block Cipher in Microsoft Office 365 Exposes Message Contents

Researchers from WithSecure (formerly F-Secure Business) have reported that the contents of encrypted messages sent via Microsoft Office 365 can be partially or fully determined due to the use of a weak block cipher. Although the researchers received a bug bounty reward for their discovery, no fix is expected, and Microsoft has stated that it does not consider this a vulnerability.

How Office 365 Encryption Works

According to WithSecure, organizations use message encryption in Office 365 to send and receive emails (both internal and external) to ensure the confidentiality of their contents. However, this feature encrypts data using the Electronic Code Book (ECB) mode, which under certain conditions allows messages to be read.

The main issue with ECB is that when the same key is used, repeating areas of plaintext data result in identical encrypted output, creating recognizable patterns.

History of ECB Vulnerabilities

This problem first became apparent in 2013, when tens of millions of passwords leaked from Adobe. Researchers discovered that Adobe had used the symmetric block cipher 3DES in ECB mode to encrypt data, which allowed all passwords to be converted back to plain text. Later, in 2020, a similar vulnerability (CVE-2020-11500) was found in the Zoom video conferencing app.

Potential Risks for Office 365 Users

WithSecure experts explain that while the contents of Office 365 encrypted messages cannot be directly decrypted, it is possible to obtain structural information about these messages due to the use of ECB. An attacker who collects several encrypted messages can identify patterns, which may eventually allow parts of the messages to become readable without the encryption key.

“A large number of emails makes this process easier and more accurate, so an attacker could do this by obtaining email archives stolen during a data breach, hacking an account, an email server, or accessing backups,” the experts write.

Thus, a large database of messages allows conclusions to be drawn about the entire content of a message or just parts of it, by looking at the relative positions of repeating sections. To demonstrate the potential of such an attack, the researchers showed the contents of an image that was extracted from an Office 365 encrypted message.

Attack Feasibility and Microsoft’s Response

Analysts emphasize that the attack can be performed offline and can use any previously sent, received, or intercepted encrypted messages. Organizations have no way to prevent analysis of messages that have already been sent.

Interestingly, WithSecure notified Microsoft about this issue back in January 2022 and received $5,000 through the bug bounty program. However, no patches have been released since then.

The researchers repeatedly reminded Microsoft about the vulnerability and tried to find out the status of a fix, but ultimately Microsoft informed WithSecure that the issue is not considered a vulnerability and therefore will not be fixed or assigned a CVE identifier.

Now that WithSecure has made the issue public, Microsoft representatives explained to the media that the company still uses ECB to support legacy applications. However, they are working on adding an alternative encryption protocol in future product versions.

“To prevent abuse, we recommend customers follow security best practices, including keeping systems up to date, enabling multi-factor authentication, and using real-time anti-malware protection products,” Microsoft stated.

WithSecure experts concluded that if no fix is forthcoming, the only way to protect yourself is to stop using Microsoft Office 365 message encryption altogether.