Microsoft Downplays Broken Email Encryption

It may disturb millions of Office 365 users to discover Microsoft dismissed expert warnings that its email encryption method may be broken.

Is OME Obsolete?

Outlook messages are encrypted with Office 365 Message Encryption (OME), using the Electronic Codebook (ECB) cryptographic algorithm. This is one of the earliest and simplest encryption modes used to send and receive email messages privately.

“This mode is generally insecure and can leak information about the structure of the messages sent, which can lead to partial or full message disclosure,” as reported by Finnish cybersecurity firm WithSecure.

The U.S. National Institute of Standards and Technology (NIST) also considers the ECB algorithm unsuitable and insecure by today’s standards.

A sustained brute force attack may be all it takes for rogue third-parties with access to a bank of OME-encrypted messages to be able to decode the cipher.

This fuels fears of a growing threat called “hack now, decrypt later,” in which hackers acquire and hold onto vast volumes of encrypted communications with the hope they’ll be able to decrypt and exploit it in future. 

Microsoft Doesn’t Want to Hear It

Microsoft’s response has been slow and evasive. On the one hand, it’s urging customers to switch to a data governance platform called Purview to encrypt their emails and documents. 

On the other, it’s delayed response to the Finnish firm’s findings claim:

The [WithSecure] report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.Since Microsoft has no plans to fix this vulnerability the only mitigation is to avoid using Microsoft Office 365 Message Encryption.


Common Office 365 Vulnerabilities

Along with subpar encryption, Microsoft users must contend with a host of other security risks. 

          • Phishing attacks: malicious emails appearing to come from Microsoft lure you to click something or submit your information. 
          • Sharepoint attacks: O365 accounts may be used to plant malware on SharePoint sites. 
          • Account takeovers: Over 70% of Office 365 business users witness at least one account takeover per month. After hijacking these accounts, hackers are able to send out millions of malicious mails.  
          • Ransomware attacks: These are coming through at a rate of one attack every 14 seconds! The Cerber ransomware attack affected some 57% of Office 365 sites.

Office 365 account holders are well advised to take additional measures to protect themselves.

Stay Safe with CyberGhost VPN

CyberGhost has advanced security tools that cover you where others fail. Our VPN encrypts your internet traffic with military grade 256-bit AES — an advanced encryption cipher experts agree would take millions of years to break. 

CyberGhost VPN also hides your IP so hackers can’t trace your activity to your real location or make out your true digital identity. Become a ghostie and we’ll make sure you’re no longer an easy target.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*