Microsoft disputes report on Office 365 Message encryption issue after awarding bug bounty

Microsoft is denying reports from a cybersecurity firm that there are issues within the Microsoft Office 365's Electronic Codebook (ECB) message encryption mode.

Microsoft Office 365 allows users to send and receive encrypted messages when ECB mode is enabled.

On Friday, WithSecure published a report outlining how this mode is “generally insecure” and can leak information about the structure of the messages sent, which can lead to partial or full message disclosure. 

“Since the encrypted messages are sent as regular email attachments, the messages sent may be stored in various email systems, and may have been intercepted by any party between the sender and the recipient,” WithSecure researchers said. 

WithSecure security researcher Harry Sintonen said attackers who are able to get their hands on a trove of messages can use the leaked ECB info to decode the encrypted content. 

“More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on e-mail archives stolen during a data breach, or by breaking into someone’s email account, e-mail server or gaining access to backups,” he said.

The company approached Microsoft about the issue on January 11 and was paid a $5,000 bug bounty on January 19. But when they contacted the tech giant in May about whether the issue was being resolved, they said they received no response.

WithSecure told Microsoft it planned to publish a report about the problem in August and the company responded on September 21, arguing that the report “was not considered meeting the bar for security servicing, nor is it considered a breach.” 

“No code change was made and so no CVE was issued for this report," Microsoft allegedly told the company. 

When asked about the report, Microsoft told The Record that its implementation of ECB encryption supports legacy applications and noted that it is working towards alternative encryption protocols for future product versions.

But a spokesperson said the feature is intended as a tool to prevent accidental misuse and is not a security boundary. 

“To help prevent abuse we recommend customers follow best security practices, including keeping systems up to date, enabling multi-factor authentication, and using a real time anti-malware product,” the spokesperson said. 

WithSecure defended its report, explaining that the National Institute of Standards and Technology (NIST) recently said the use of ECB to encrypt confidential information “constitutes a severe security vulnerability,” pointing to CVE-2020-11500 — a similar issue related to Zoom’s use of ECB. 

Sintonen explained that an attacker that has a massive database of messages may be able to deduce the content by analyzing patterns within them. 

The attack can be performed offline on any previously sent, received or intercepted encrypted messages, he added, noting that there is no way for the organization to prevent analysis of already sent messages.

WithSecure claimed the issue may also “lead to privacy impact as described in EU General Data Protection Regulation (GDPR), State of California Consumer Privacy Act (CCPA), or some other similar legislation.”

“Any organization with personnel that used OME [open messaging environment] to encrypt emails are basically stuck with this problem. For some, such as those that have confidentiality requirements put into contracts or local regulations, this could create some issues,” Sintonen said. 

“And then of course, there’s questions about the impact this data could have in the event it’s actually stolen, which makes it a significant concern for organizations.”

Sintonen and WithSecure recommended that Microsoft users avoid using the system as a way to send confidential emails. 

'High severity'

Cybersecurity experts were split on whether the issue was as serious as described by WithSecure. 

Vulcan Cyber’s Mike Parkin argued that while it would be ideal for encrypted traffic to not reveal anything about the contents of the message, most business users won’t be affected by the level of data leakage here, “unless they are in the habit of sending highly sensitive, and time sensitive, information through Office 365.”

Bud Broomhead, CEO at cybersecurity firm Viakoo, told The Record that even if Microsoft declines to fix this, it should at least remove or restrict the use of message encryption within Office 365 until a better solution is available to users. 

“Hard to see a ‘feature’ aspect of this; clearly it’s a bug of high severity,” he said. 

“For many years the fear has been that encrypted data that was previously exfiltrated may someday be decrypted and exploited. For threat actors who have harvested large amounts of encrypted Microsoft Office 365 email messages that day may be today. (Didn’t have to wait for quantum computing to unlock all those secrets!).” 

Others, like Coalfire Vice President Andrew Barratt, said an attacker would need to first conduct relatively difficult offline attacks to gain access to documents and explained that the return on investment for the intruder would be quite limited. 

Theon Technology’s Bryan Cunningham took a broader look at the issue, arguing that regardless of the accuracy of WithSecure’s claims, there are now severe risks that all organizations and individuals face when using any encryption technology because of advances in quantum and mathematical techniques. 

Cunningham explained that encryption methods have long been fallible, pointing back to U.S. agencies' ability to decrypt messages from the Soviet Union.

“Also, any encryption scheme can be defeated even without breaking the code if users do not handle keys properly or are successfully phished, among other attack techniques," he said. "No one can prevent all attacks, but sufficiently hardened encrypted data at rest is much less likely to be made usable in the future – even if it is stolen.”