Security researchers at WithSecure have discovered that it Is possible to partially, and in some cases fully, infer the contents of message encrypted through Microsoft’s Office 365 application due to the use of a weak block cipher mode of operation. The weak block cipher mode that Office365 uses is Electronic Code Block (ECB) mode. The main problem that the researchers identified with ECB is that repetitive areas in the plaintext data have the same encrypted result when the same key is used, which created a pattern that allows a threat actor to infer the plaintext data in some cases.

This issue in ECB was first highlighted in the 2013 Adobe data breach where more than 10 million passwords were leaked – the company used ECB mode to encrypt the data, which made it possible to obtain plaintext passwords. The issue was again highlighted in 2020  where it was discovered that the Zoom videoconferencing application used the same 1280bit key to encrypt all audio and visual using the AES algorithm with ECB mode. While the researchers at WithSecure indicate that a single message alone isn’t decipherable, they highlight that an actor can look for structural information across numerous messages, leading to patterns that can be found allowing the messages as a whole to become gradually readable.

This ECB issue was reported to Microsoft in January 2022 and was acknowledged and assigned a bug bounty. However, Microsoft noted that “the issue does not meet the bar for security servicing, nor is it considered a breach”. The company still uses ECB to support legacy applications. However, the company is working on adding an alternative encryption protocol to future product versions.