Microsoft is currently engaged in a debate with security researchers over whether Office 365’s built-in message encryption is secure or not. In any case, it’s fair to ask what Office Message Encryption (OME) is actually useful for anyway.
The official line is that Office Message Encryption provides an opportunity “to send and receive encrypted email messages between people inside and outside your organization”. According to WithSecure’s assessment, however, the encryption method used by OME (known as Electronic Codebook or ECB) is not fit for purpose as it is insecure for data with repeating patterns such as plain text or uncompressed images and videos. Despite this, Microsoft sees no need to change things – as reported in British online tech news publication “The Register” and other outlets.
And WithSecure is far from alone in its criticism. The renowned National Institute of Standards and Technology (NIST), for instance, has stated that the “use of ECB to encrypt confidential information constitutes a severe security vulnerability.” The fact that OME uses a strong cipher (AES) doesn’t solve the problem, WithSecure go on to say. Another vulnerability security researchers have also called out is that OME messages are sent as email attachments. “Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents,” explains Harry Sintonen, security researcher at WithSecure.
Microsoft doesn’t consider it necessary to take any action based on WithSecure’s findings. “The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report,” the software company has stated. Since Microsoft introduced its own governance system called Purview earlier this year, the software giant now considers OME to be a legacy system anyway.
WithSecure certainly advises companies to take heed of the potential legal ramifications of using OME, particularly in view of the strict data protection regulations in Europe and California. “Since Microsoft has no plans to fix this vulnerability the only mitigation is to avoid using Microsoft Office 365 Message Encryption,” the researchers conclude.
Companies looking to encrypt emails securely and in line with tech standards, need look no further than Retarus’ gateway-based Email Encryption service. The solution is compatible with any SMTP-based email system irrespective of the device used, and supports the common S/MIME, PGP and OpenPGP procedures. The X.509 v3 standard is also fully supported, including self-signed certificates. Retarus manages all internal and external keys centrally. Recipients without their own encryption solutions can view their decrypted messages by way of a secure web portal. Those interested can find out more from our website or straight from your local Retarus representative.