Office 365: OME encryption method bypassable

On October 17, 2022By Garmin Philip

Fix impossible?

Microsoft Office 365 is facing a serious security problem: security researchers want to have cracked the OME encryption.

news

Office 365 has a new vulnerability.

Microsoft Office 365 is the best-known suite of its kind and is used as the market leader by millions of customers. The demands on the encryption standard used, which in the case of e-mail traffic is based on the OME (Office Message Encryption) process, are correspondingly high. As researchers from the security company “WithSecure“, but this is based on a fatal error that may lead to attacks and may not be able to be fixed.

Specifically, the block cipher ECB (Electronic Codebook) is targeted, which is provided with detailed explanations of the structure of sent messages. If an attacker gains access to a large number of emails, they could infer further information about the key based on the position and structure of the pattern used.

If only individual messages are hijacked, the probability of a compromise is still low – however, the statistical probability increases if, for example, the entire mail archive gets into the hands of the attacker, since cracking the key can be used to reconstruct the plain text of the messages, among other things , although this involves a great deal of effort.

Closing the security gap seems to be even more problematic than the vulnerability itself. Since the vulnerability of OME lies in the basic architecture, a classic update with a security bug fix cannot do anything here – the vulnerability will probably remain for the time being. Microsoft itself has not yet commented on this.