Microsoft Information Protection Upgrades to Enhanced Encryption Algorithm

AES256-CBC Will Protect Office Documents and Email

Last year, some researchers expressed worries that the AES 128 ECB (Electronic Cookbook Mode) cipher used by Microsoft Information Protection to encrypt documents and emails could be compromised. Microsoft uses the cipher to ensure backward compatibility with older Office versions.

The need for backward compatibility appears to have lifted. Announced in MC590144 (June 15, 2023, Microsoft 365 roadmap item 117576), Microsoft Information Protection will start using AES 256 in Cipher Block Chaining (AES256-CBC) mode from late August 2023 with full deployment expected by the end of September 2023.

Sensitivity Labels Apply Better Protection

In practical terms, if you apply a sensitivity label (Figure 1) to an Office document, export an Office document to a PDF, or email (including meetings), or use the Purview Message Encryption feature (previously Office 365 message encryption or OME) to set Do Not Forward or Encrypt-Only for emails, the level of encryption protecting those items will increase. Items previously protected will receive the upgraded protection the next time the items go through an encryption/decryption cycle. For instance, if someone edits a protected document stored in a SharePoint Online document library, SharePoint will apply the improved encryption when it saves the file. Full details are available in this Microsoft Technology Community post.

Enhanced protection is available in the Microsoft 365 apps for enterprise, SharePoint Online, Exchange Online, Purview Message Encryption, the Azure Information Protection (AIP) unified labelling client (version 2.17 or later), AIP PowerShell module (2.17 and later), and the Purview Information Protection Scanner for on-premises repositories.

Third-party applications built using the Microsoft Information Protection SDK 1.13 or later support items protected with AES256-CBC. This includes the paid-for versions of Adobe Acrobat that can apply and manage sensitivity labels. It might take a little time for ISVs to issue upgraded versions of their products that support AES256-CBC.

Impact on Four Groups

Although the transition to AES256-CBC should be seamless for Microsoft 365 tenants, Microsoft calls out four groups of customers that the change will impact. These are organizations:

• Using the subscription version of Office (Microsoft 365 apps for enterprise) with Exchange Server (on-premises or hybrid). The Exchange development group is working on a patch to allow Exchange Server to support AES256-CBC that should be available in July. However, the patch will only be available for Exchange Servers with support, so that means the latest versions of Exchange 2016 and Exchange 2019. Microsoft will automatically exclude organizations using the Azure Rights Management connector from using AES256-CBC until January 2024 to allow them time to apply server upgrades.
• With applications built using the Microsoft Information Protection SDK. These organizations must upgrade their applications to V1.13 of the SDK.
• Using perpetual versions of Office (2016, 2019, and 2021 LTSC). These versions can consume items protected with AES256-CBC, but some work is needed to allow clients to create items protected with the new cipher.
• Using the current version of the AIP Viewer, PowerShell module, or Scanner. Workstations need to upgrade to the latest version of the unified labeling client to enable support for AES256-CBC for components installed by the client.

Failure to take action to upgrade installations before Microsoft rolls out the change in August 2023 will result in Exchange Server failing to decrypt protected email. More details are available in Microsoft’s Technical community post.

Moving to Stronger Encryption

Even if the potential for compromise required attackers to follow an unlikely path, Microsoft has answered the doubts expressed by researchers with this update. That’s a welcome change that will kick in during August 2023. Users shouldn’t be aware of the transition and won’t be impacted by the change if administrators of the highlighted organizations take action.

For more information about the transition to AES256-CBC, see Microsoft’s documentation.

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.