Microsoft to Roll Out Encrypted Message Service for Office 365

Microsoft is planning to roll out a new encrypted email service on its Office 365 site that will make sending and receiving secure email much simpler.

Encryption, once a tool used mainly by security professionals, activists and others with reason to suspect their communications may be at risk, has been moving ever deeper into the mainstream in recent months. Now, Microsoft is planning to roll out a new encrypted email service on its Office 365 site that will make sending and receiving secure email much simpler.

The new service, known as Office 365 Message Encryption, is designed to simplify the process of using encrypted email, something that hasn’t been as easy as most users would like. Setting up and using many secure email applications can be an arduous and confusing process, particularly for users who may not be familiar with security. Microsoft’s new service, which will be available in the first quarter of 2014, uses a system that’s somewhat similar to other secure email systems, wherein a user receives an email with an encrypted attachment and instructions for opening it.

“No matter what the, Yahoo, Gmail, Exchange Server, Lotus Notes, GroupWise, Squirrel Mail, you name it-you can send sensitive business communications with an additional level of protection against unauthorized access. There are many business situations where this type of encryption is essential,” Microsoft’s Shobhit Sahay said in a blog post explaining the new service.

“When an external recipient receives an encrypted message from your company, they see an encrypted attachment and an instruction to view the encrypted message. You can open the attachment right from your inbox, and the attachment opens in a new browser window. To view the message, you just follow the simple instructions for authenticating via your Office 365 ID or Microsoft Account.”

Since the start of the summer, when the Edward Snowden NSA leaks began, encrypted communications have become a hot topic in the security and privacy communities, as well as in the wider user community. The secure email service reportedly used by Snowden, Lavabit, shut down in August, as did the Silent Mail system run by Silent Circle, both moves coming on the heels of government demands for Lavabit’s SSL keys.

Microsoft’s new service isn’t really the same kind of system as those, but it’s meant to help businesses secure their sensitive communications through the use of a variety of encryption schemes. When the data is at rest in Microsoft’s data center, it will be protected by BitLocker. The connection between the client and the Office 365 servers is protected by SSL ad the messages will be encrypted and signed using S/MIME.

The system will use a simple Web interface for administration, and enterprise administrators have the ability to set up riles that determine which emails will be encrypted.

“The Message Encryption interface, based on Outlook Web App, is modern and easy to navigate. You can easily find information and perform quick tasks such as reply, forward, insert, attach, and so on. As an added measure of protection, when the receiver replies to the sender of the encrypted message or forwards the message, those emails are also encrypted,” Sahay said.

Image from Flickr photos of FutUndBeidl.

Suggested articles


  • m128 on

    So does the NSA have Microsoft's SSL keys already?
  • Tom on

    This seems to be an awful system: anyone can imitate an e-mail with an encrypted attachment from this service but then redirect the recipient to a fake Microsoft site and obtain that person's username and password (giving them access to all their e-mails). It may very well be that, by enabling this effective phising method, this system will actually decrease the security of Outlook rather than improve it. Of course users will be able to verify the authenticity of the Microsoft site because SSL is used, but most people probably won't notice it when the address bar in their browser is missing the indicator that they are indeed communicating with Microsoft and not someone else. Educating the general public to do this every time when opening an encrypted e-mail is a difficult task. Furthermore, Microsoft is (probably) managing the keys and is therefore able to decrypt all mails. This offers limited to no protection against NSA surveilance (an important reason why many people would like starting to encrypt mails) because they can secretly force Microsoft to hand over keys (or at least plaintext e-mails).
  • Jim on

    Furthermore I can send you a nice malware attachment that looks just like your encrypted email.
  • Renier on

    Another reason why Keyservers are not supposed to be managed by companies like MS or Cisco. They are always hand in hand with the government. Most Countries have laws against Keyservers being hosted outside of the countries borders, i.e. South Africa Australia and some European countries like Switzerland etc. So major fail there. Had the same issue with the current issue where they are using Voltage. Would rather host my own Keyserver, such as Cisco' IEA, but not using their CRES but buy your own. unfortunately, after they bought it from IronPort, they sent an announcement of end of life /support middle 2015. The best bet will be to use Totemo's options ( Swiss based, but the server are hosted in your own environment.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.