Forum Discussion

Copper Contributor

May 16, 2018

Azure Information Protection affected by efail

Hello everyone, does anyone know if there is an official statement from Microsoft if the email encryption in AIP is affected by the new security issue efail?

information protection and governance

microsoft information protection

Frederik Lentjes

Copper Contributor

May 17, 2018

Thanks for your answer.

Just to be sure that we are talking about the same things.

I am just searching for a confirmation that Office 365 Message Encryption (part of AIP) is not affected by efail. In my opinion it is just not affected because it is not based on S/MIME or openPGP.

Am i right?

Losercore

Microsoft

May 21, 2018

Sorry for the delay. Our terminology makes this confusing. Office 365 Message Encryption (OME) uses RMS. S/MIME is another way of encrypting messages in Exchange Online using certificates and creates digital signatures. The vulnerability described does not apply to RMS (AIP) thus, it does not apply to OME.

I hope that helps.

Thanks

Jay Frantz
Copper Contributor
Jun 28, 2018
Just to be clear, the S/MIME and PGP vulnerabilities described are due to malleability.

Has there been a statement by Microsoft about whether the encryption protocol used in RMS could be subject to malleability-based attacks (i.e. is RMS secure against allowing injection of content into encrypted messages that will still show up on the client side when decrypted into plaintext)?

EDIT: In reading further on Efail, it looks like you also need client-side software configured to open things in a fairly careless way. Please disregard my query.
- Frederik Lentjes
  Copper Contributor
  Jun 28, 2018
  I did not find any official Statement by Microsoft.