cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

O365 Message Encryption exposing private info

Deleted
Not applicable

‎Jan 22 2017 08:14 PM - edited ‎Jan 31 2017 11:20 PM

‎Jan 22 2017 08:14 PM - edited ‎Jan 31 2017 11:20 PM

O365 Message Encryption exposing private info

I’m not sure if this is the right place for this kind of post, but I think it warrants the attention of whoever is in charge of Office 365 Message Encryption (OME): OME doesn’t remove Exchange X-header fields from encrypted messages, which may expose private information.

 

OME delivers an encrypted message as an HTML attachment containing a FORM field called rpmsg, whose value is a MIME text (which further contains an attachment message.rpmsg, the encrypted message itself).  rpmsg contains X-header fields used internally by Exchange, notably 

 

* X-MS-Exchange-Organization-BCC, the list of BCC’d recipients;

* X-MS-Exchange-Organization-OriginalClientIPAddress, the client’s connecting IP address (some organizations consider it private and also remove X-Originating-IP from outbound messages);

* X-MS-Exchange-Organization-MessageSent24, apparently the number of emails sent within a moving 24-hour window.

 

(Screenshot: https://i.imgur.com/HQeTY8W.jpg)

 

I tried to contact the Exchange Team on Twitter previously, but haven’t heard back yet.

 

 

 

Update I got an update from Microsoft today that this issue will be fixed in a future version of OME, although no release date was given.

 

 

Labels:
4,419 Views
1 Like
3 Replies
Reply
3 Replies
Loryan Strant

‎Jan 22 2017 09:00 PM

‎Jan 22 2017 09:00 PM

Re: O365 Message Encryption exposing private info

Have you logged a Service Request? That might be the best way to get some progress if you've found a bug/issue like this.
0 Likes
Reply

‎Jan 23 2017 02:12 AM

‎Jan 23 2017 02:12 AM

Re: O365 Message Encryption exposing private info

I’ll open an SR, but I doubt that’s the best way. Last time I found a bug in Exchange Online it took a month for my SR to get elevated, and another two weeks to get it fixed.
0 Likes
Reply
Loryan Strant

‎Jan 23 2017 03:58 PM

‎Jan 23 2017 03:58 PM

Re: O365 Message Encryption exposing private info

You're right, it will take some time unless you have a Premier Support agreement which would potentially shave a week or two off the timeframe.
The SR process will allow the support engineer to replicate the issue and then escalate it, as the engineering time needs more than just your word and evidence to prove that it's an issue. :)
0 Likes
Reply