Home

O365 Message Encryption exposing private info

%3CLINGO-SUB%20id%3D%22lingo-sub-40707%22%20slang%3D%22en-US%22%3EO365%20Message%26nbsp%3BEncryption%20exposing%20private%20info%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40707%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99m%20not%20sure%20if%20this%20is%20the%20right%20place%20for%20this%20kind%20of%20post%2C%20but%20I%20think%20it%20warrants%20the%20attention%20of%20whoever%20is%20in%20charge%20of%20Office%20365%20Message%20Encryption%20(OME)%3A%20OME%20doesn%E2%80%99t%20remove%20Exchange%20X-header%20fields%20from%20encrypted%20messages%2C%20which%20may%20expose%20private%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOME%20delivers%20an%20encrypted%20message%20as%20an%20HTML%20attachment%20containing%20a%20FORM%20field%20called%20%3CEM%3Erpmsg%3C%2FEM%3E%2C%20whose%20value%20is%20a%20MIME%20text%20(which%20further%20contains%20an%20attachment%20%3CEM%3Emessage.rpmsg%3C%2FEM%3E%2C%20the%20encrypted%20message%20itself).%20%26nbsp%3B%3CEM%3Erpmsg%3C%2FEM%3Econtains%20X-header%20fields%20used%20internally%20by%20Exchange%2C%20notably%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20%3CEM%3EX-MS-Exchange-Organization-BCC%3C%2FEM%3E%2C%20the%20list%20of%20BCC%E2%80%99d%20recipients%3B%3C%2FP%3E%3CP%3E%3CEM%3E*%20X-MS-Exchange-Organization-OriginalClientIPAddress%3C%2FEM%3E%2C%20the%20client%E2%80%99s%20connecting%20IP%20address%20(some%20organizations%20consider%20it%20private%20and%20also%20remove%20%3CEM%3EX-Originating-IP%3C%2FEM%3Efrom%20outbound%20messages)%3B%3C%2FP%3E%3CP%3E*%20%3CEM%3EX-MS-Exchange-Organization-MessageSent24%3C%2FEM%3E%2C%20apparently%20the%20number%20of%20emails%20sent%20within%20a%26nbsp%3Bmoving%2024-hour%20window.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Screenshot%3A%20%3CA%20href%3D%22https%3A%2F%2Fi.imgur.com%2FHQeTY8W.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fi.imgur.com%2FHQeTY8W.jpg%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20contact%20the%20Exchange%20Team%20on%20Twitter%26nbsp%3Bpreviously%2C%20but%20haven%E2%80%99t%20heard%20back%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EUpdate%3C%2FEM%3E%E2%80%83I%20got%20an%20update%20from%20Microsoft%20today%20that%20this%20issue%20will%20be%20fixed%20in%20a%20future%20version%20of%20OME%2C%20although%20no%20release%20date%20was%20given.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-40707%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-41009%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Message%26nbsp%3BEncryption%20exposing%20private%20info%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41009%22%20slang%3D%22en-US%22%3EYou're%20right%2C%20it%20will%20take%20some%20time%20unless%20you%20have%20a%20Premier%20Support%20agreement%20which%20would%20potentially%20shave%20a%20week%20or%20two%20off%20the%20timeframe.%3CBR%20%2F%3EThe%20SR%20process%20will%20allow%20the%20support%20engineer%20to%20replicate%20the%20issue%20and%20then%20escalate%20it%2C%20as%20the%20engineering%20time%20needs%20more%20than%20just%20your%20word%20and%20evidence%20to%20prove%20that%20it's%20an%20issue.%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-40748%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Message%26nbsp%3BEncryption%20exposing%20private%20info%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40748%22%20slang%3D%22en-US%22%3EI%E2%80%99ll%20open%20an%26nbsp%3BSR%2C%20but%20I%20doubt%20that%E2%80%99s%20the%20best%20way.%20Last%20time%20I%20found%20a%26nbsp%3Bbug%20in%20Exchange%20Online%20it%20took%20a%26nbsp%3Bmonth%20for%20my%20SR%20to%20get%20elevated%2C%20and%20another%20two%20weeks%20to%20get%20it%20fixed.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-40712%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Message%26nbsp%3BEncryption%20exposing%20private%20info%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40712%22%20slang%3D%22en-US%22%3EHave%20you%20logged%20a%20Service%20Request%3F%20That%20might%20be%20the%20best%20way%20to%20get%20some%20progress%20if%20you've%20found%20a%20bug%2Fissue%20like%20this.%3C%2FLINGO-BODY%3E
Deleted
Not applicable

I’m not sure if this is the right place for this kind of post, but I think it warrants the attention of whoever is in charge of Office 365 Message Encryption (OME): OME doesn’t remove Exchange X-header fields from encrypted messages, which may expose private information.

 

OME delivers an encrypted message as an HTML attachment containing a FORM field called rpmsg, whose value is a MIME text (which further contains an attachment message.rpmsg, the encrypted message itself).  rpmsg contains X-header fields used internally by Exchange, notably 

 

* X-MS-Exchange-Organization-BCC, the list of BCC’d recipients;

* X-MS-Exchange-Organization-OriginalClientIPAddress, the client’s connecting IP address (some organizations consider it private and also remove X-Originating-IP from outbound messages);

* X-MS-Exchange-Organization-MessageSent24, apparently the number of emails sent within a moving 24-hour window.

 

(Screenshot: https://i.imgur.com/HQeTY8W.jpg)

 

I tried to contact the Exchange Team on Twitter previously, but haven’t heard back yet.

 

 

 

Update I got an update from Microsoft today that this issue will be fixed in a future version of OME, although no release date was given.

 

 

3 Replies
Have you logged a Service Request? That might be the best way to get some progress if you've found a bug/issue like this.
I’ll open an SR, but I doubt that’s the best way. Last time I found a bug in Exchange Online it took a month for my SR to get elevated, and another two weeks to get it fixed.
You're right, it will take some time unless you have a Premier Support agreement which would potentially shave a week or two off the timeframe.
The SR process will allow the support engineer to replicate the issue and then escalate it, as the engineering time needs more than just your word and evidence to prove that it's an issue. :)
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Discussion - Updating our interface with Fluent touches
Elliot Kirk in Discussions on
102 Replies