Researchers warn of a vulnerability in Microsoft’s Office 365 Message Encryption feature. Cybercriminals can decrypt messages using a widely documented method. Although Microsoft is aware of the problem, the tech giant refuses to take action.

Microsoft offers multiple encryption options for data in Office 365. One is Message Encryption, available in Microsoft Purview. The feature allows end users to send encrypted emails to recipients inside and outside the organization.

Researchers at WithSecure recently found a vulnerability in Message Encryption. The feature uses Electronic Code Book (ECB) technology to encrypt messages. Cybercriminals bypassed the same technology in 2013 to decrypt a massive stolen database from Adobe.

The method was widely documented at the time. The information allows cybercriminals to bypass Message Encryption. There is no evidence that the vulnerability has been exploited in practice, but researchers warn of the risk.

Message Encryption

Message Encryption is supposed to ensure that stolen data is unusable for cybercriminals. When an employee sends a sensitive email to an external company and the company’s database is leaked at a later time, the data is unreadable.

Because of the vulnerability, the latter can’t be guaranteed. “Attackers can perform [the method] after getting their hands on email archives stolen during a data breach, or by breaking into someone’s email account, email server or gaining access to backups”, WithSecure researcher Harry Sintonen explained.

Microsoft refuses to patch

Microsoft is aware of the problem. WithSecure informed the tech giant in January 2022. Microsoft acknowledged the vulnerability and rewarded the security company with financial compensation. After that, things went quiet.

In recent months, WithSecure repeatedly contacted Microsoft to inquire about the status of a patch. The tech giant shoved the problem under the table. Microsoft told WithSecure that the vulnerability “does not meet the bar for security servicing”.

Microsoft regularly refuses to develop patches for security problems. In September 2022, security firm Vectra disclosed that the tech giant ignored a vulnerability in Teams for weeks. Sometimes, security researchers and Microsoft butt heads over the severity of risks.

In the absence of a patch, WithSecure recommends avoiding Office 365’s Message Encryption feature.

Tip: Data privacy: from necessary security step to competitive advantage