But Practical Considerations Make Potential OME Weakness Not Worth Worrying About
I don’t quite know what to make of the October 14 WithSecure Labs report that Office 365 Message Encryption (OME) uses “a Broken or Risky Cryptographic Algorithm.” I also don’t know why Microsoft continues to use Electronic Codebook (ECB) to cipher message content.
OME, or rather “Microsoft Purview Message Encryption” is included in Office 365 E3 and E5 and other Microsoft 365 plans. An advanced form of OME is also available, but its functionality is not pertinent to this discussion. OME allows Exchange Online users to send encrypted email to literally any other email recipient, no matter what server their mailbox connects to. OME is built on top of Azure Rights Management, so users can protect messages with the default Do Not Forward and Encrypt-Only templates, or they can use custom rights management templates published to Outlook email clients as sensitivity labels.
Inferring Message Content
The problem discovered by the researchers is that a “Malicious 3rd party gaining access to the encrypted email messages may be able to identify content of the messages since ECB leaks certain structural information of the messages.” That certainly sounds like a problem, but the fact is that third parties can only dictate some structural information about emails and not the actual content. Their demonstration of an image extracted from an encrypted message is impressive, but only until you consider that the researchers had full control over the message content and were able to insert the necessary blocks to create the image they displayed. Exposing an image in a protected file makes a nice demo, but it is not the same as being able to extract information from a “real” file selected at random from a set of protected messages.
The practical implications of being able to intercept messages protected by OME is less certain. The researchers say that “an attacker with a large database of messages may infer their content (or parts of it) by analyzing relative locations of repeated sections of the intercepted messages.” The important thing here is that an attacker needs to acquire a large database of messages before they can move to a point where they can infer what the content of any specific message might be. Whether you consider this a practical and potential attack in the wild is up to your judgement. I don’t think it is something to worry about in the real world.
Little Likelihood of Exploitation
My experience is that relatively few messages created by Office 365 tenants use OME protection. Admittingly, even a small percentage of protected messages is a large volume when you consider that Exchange Online processes 9.2 billion messages daily. The counterargument is that the number of protected messages sent by individual tenants or users is usually small.
Some years ago, a conversation with the Microsoft Information Protection team indicated that the percentage of protected messages was in the low single digits. Of those messages, a large number probably remain inside Office 365 and are therefore impervious to interception unless an attacker can comprise the Microsoft 365 infrastructure. If that happens, being able to analyze some protected email to detect patterns that might reveal some potential content is the least of an Office 365 tenant’s problems.
We’re then left with a relatively small amount of messages protected by OME flow out of Office 365 to other mail systems. A potential attacker must therefore work out how to acquire “a large database of messages” to begin inferring what the messages content. Or “Even if specific message would not directly leak information in this way, an attacker with a large body of messages is able to perform analysis of the relation of the repeated patterns in the files to identify specific files. This may lead to ability to infer (parts of) clear text of encrypted messages.” The obvious fact here is that if an attacker can sit on a transmission path from Office 365 to another mail system, they’re likely to capture a vast quantity of unprotected email that can be analyzed and interrogated without any need to decrypt, infer, or otherwise go near protected content.
Microsoft’s Use of ECB
According to the researchers, even though Microsoft paid a $5,000 bounty for discovering the vulnerability, Microsoft’s response was “The report was not considered meeting the bar for security servicing, nor is it considered a breach.” Perhaps Microsoft believes that the practicality of exploitation is so low that the flaw doesn’t merit changing their code.
Interestingly, the researcher points out that the Microsoft Information Protection (MIP) ProtectionHandler::PublishingSettings class has a SetIsDeprecatedAlgorithmPreferred method which says that it “Sets whether or not deprecated crypto algorithm (ECB) is preferred for backwards compatibility.”
The researchers speculate that OME uses this flag to enable ECB rather than the more secure Cipher Block Chaining (CBC) mode.
They also point out that Microsoft’s FIPS 140-2 Compliance documentation explicitly states that “Legacy versions of Office (2010) require AES 128 ECB, and Office docs are still protected in this manner by Office apps.”
What’s weird here is that Office 365 hasn’t supported Office 2010 for years. At first glance, it doesn’t make sense for Microsoft to configure OME to support an ancient legacy version of Office. It would seem to make sense for Microsoft to move from ECB to CBC, but that’s without the benefit of understanding what this would mean in practice for end users. My understanding is that OME uses CBC for non-Office files because there is no reason to support backwards compatibility.
It’s clear from the Open XML format documentation that Office applies compression (Lempel-Ziv) to store documents. The RPMSG “wrapper message” generated by OME is also compressed (I believe that OME uses the Deflate algorithm for this purpose). Logically, compression occurs before encryption. The way compression works ensures that no repetitive patterns or fixed length sequences exist in the file, so the Office documents processed by ECB can’t exhibit the kinds of patterns reported by the researcher. If an attacker captures Office documents, there’s little hope of them being able to infer anything from the document content.
The Net Result
Given the lack of support for Office 2010 within Microsoft 365, it’s logical to ask why Microsoft has not upgraded OME and removed the use of ECB for Office documents. That step might make security researchers happier, but the use of compression in the existing implementation means that it might not make any real practical difference. Overall, the potential for a successful attack on OME-protected email in the wild seems low and the overwhelming percentage of unprotected email seems like a much more lucrative target for attackers.
WithSecure are certainly within their rights to recommend that Office 365 tenants should ignore OME until something better comes long. I disagree. It seems to me that increased use of OME would stop attackers being able to compromise the huge quantity of unprotected email that Office 365 tenants currently send. It’s wonderful to worry about an edge case; the real issue is to protect email in general. And that’s why it still remains so much better to protect confidential email with OME.
Learn about protecting Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.
I’m also trying to understand this better. Could it be that since the images are compressed already in JPG or PNG (they don’t mention the image file type that I saw) the images aren’t compressed again and can be seen as described in the article when using ECB? Uncompressed data (text, documents etc) would not be so clearly visible and thus the risk is far lower since it is first compressed and then encrypted as you mentioned above?
Still a fail and I hope MS fix it, but agree that the risk is relatively low and a very large amount of encrypted data would be required to glean any knowledge of the contents.
Yep. it seems like the file used by the researcher is an image file (maybe also BMP?), so they get the output they wanted. I would be much more worried if they demonstrated retrieval of information from a protected Word document or Excel spreadsheet (or even the HTML content from a message body), but that didn’t happen.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Hi,
I’m also trying to understand this better. Could it be that since the images are compressed already in JPG or PNG (they don’t mention the image file type that I saw) the images aren’t compressed again and can be seen as described in the article when using ECB? Uncompressed data (text, documents etc) would not be so clearly visible and thus the risk is far lower since it is first compressed and then encrypted as you mentioned above?
Still a fail and I hope MS fix it, but agree that the risk is relatively low and a very large amount of encrypted data would be required to glean any knowledge of the contents.
Yep. it seems like the file used by the researcher is an image file (maybe also BMP?), so they get the output they wanted. I would be much more worried if they demonstrated retrieval of information from a protected Word document or Excel spreadsheet (or even the HTML content from a message body), but that didn’t happen.