Microsoft: Office 365 Message Encryption coming in early 2014

Business users of Office 365 will be able to access a new feature in early 2014 made to offer more secure communications with folks outside a company. Microsoft's new service is Office 365 Message Encryption, a newly renamed version of the older Exchange Hosted Encryption that will include some new features for Office 365 subscribers.

The official Office blog has more information on the new service, which will be free for Office 365 E3 and E4 users and cost $2 a month for all other users. Microsoft said it was made as a way for companies to send such emails to people who are not directly employed by the business "without the administrative overhead required to use S/MIME or similar technologies." Microsoft added:

Setting up the transport rules is simple. Administrators simply select the action to apply encryption or remove encryption in the Exchange admin center. This is an improvement over EHE, which required complex headers and multiple setup steps.

Emails sent on this service will view the encrypted messages as an attachment, and it will include instructions on how to open it up in a new browser window. If the receiver of the message decides to reply back or forward it to others, those emails are also encrypted.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

Xbox One Launch in pictures

Next Story

Rumor: Microsoft looking to shake up music streaming with Deezer?

11 Comments

Commenting is disabled on this article.

Microsoft said it was made as a way for companies to send such emails to people who are not directly employed by the business "without the administrative overhead required to use S/MIME...."

This type of messaging security is becoming fairly popular nowadays. Unfortunately, it's not really that much more secure than sending unencrypted messages. S/MIME or PGP (which are different but close enough in comparison to the method being described in the article) are the most secure method of email communications. Is there administrative overhead (that would confuse the hell out of a client who knows nothing of InfoSec)? Sure. But that is the tradeoff with security vs convenience. The idea that it is safe to have a 3rd party host secure content and then have the recipient authenticate with said 3rd party is incorrect. It's safer than sending unencrypted messages when an adversary is MITM'ing the connection, but nowadays, how often is that really the attack vector? In this day and age, most "hacks" have more to do with social engineering and decent tech skills as opposed to someone using 1337 h4x to exploit a service. Requiring the message recipient to authenticate with a Microsoft account is just opening up another attack vector (social engineering the MS account).

IMO, the most secure setup for a home user to receive sensitive information via email from a business would be to employ PGP or S/MIME to encrypt the message, make sure the email servers are using TLS, and have the user authenticate with POP/SMTP over SSL. Unfortunately, the sending party has no control over whether the recipient's server supports TLS (they can choose to only send messages over TLS, but that would break email between many organizations), and they have no way to control or determine how the user authenticates with their own email server.

To move towards a more secure worldwide messaging infrastructure, all email clients (standalone and web-based) need to implement a mandatory encryption standard such as PGP that includes an automated key exchange when communicating with new recipients. Something to simplify the most challenging aspect of messaging security: configuring it for the end user.

In summation, secure email is a farce. It does not exist. There are secure technologies that can be used with email, but there are too many parties involved with the exchange of messages, each which have an affect on the overall security of the exchange, to definitively state that all email communications are protected. (All as in with anyone, at any time. Communications between specific people and organizations can be configured as such, but the time and knowledge required is impossible to scale for the entire web).

By your definition it isn't secure if the NSA has the key(s). At the same time, in this context, as long as NSA employees don't do private snooping, the NSA is functioning as intended, as a security agency. If someone in my building is planting a bomb and communicating via encrypted email with fellow culprits, I sure as hell want the NSA to learn about it in real time, and hopefully act on the information, before I hear it go off. I want the NSA to use information, not abuse it.

seeprime said,
... I want the NSA to use information, not abuse it.
How would you ensure that NSA would not go abusing it? Isn't it something beyond your control?

seeprime said,
If someone in my building is planting a bomb...

So every citizen in this entire nation should be living in what amounts to a 24/7 police state of constant surveillance because you've been made afraid of a one in a billion hypothetical? Made afraid by the very people who use your tax dollars in order to justify their massive graft and to keep themselves in profitable power?

I choose not to live in fear of being struck by lightning and I'd prefer those trillions go to help feed, clothe, heal, and shelter 350 million Americans when they need it.

Here is my question: Is this feature been in the planning phase for a long time or is it in response to the nsa spying?

#Michael said,
Here is my question: Is this feature been in the planning phase for a long time or is it in response to the nsa spying?

Microsoft already had Exchange Hosted Encryption (EHE) and this is simply the newest version of it with more features, easier deployment, and built into O365.

#Michael said,
Here is my question: Is this feature been in the planning phase for a long time or is it in response to the nsa spying?

PGP has made available encryption for emails and instant messaging for many, many years. This is just an evolution, although reading how it works (message is an attachment with instructions for opening) it sounds like a very poor implementation, and would "train" or "de-sensitise" the user to open attachments - never a good thing.

I think this functionality will be added in the next Office service pack and its a feature wich I will gladly embrace. Its clear that Microsoft works hard to improve this product , make it more accessible to user while adding security components on first occasion.
One more thing .. they will surely crush Google office suit with this , slow but sure.