As I mentioned in an earlier post, email encryption is a sticky thing. In a perfect world, everyone would have Opportunistic TLS enabled and all mail traffic would be automatically encrypted with STARTTLS encryption, which is a fantastic method of ensuring security of messages “in transit”. But some messages need to be encrypted “at rest” due to security policies or regulations. Unfortunately, researchers have recently discovered some key vulnerabilities in the S/MIME and OpenPGP. These encryption systems have been the most common ways of ensuring message encryption for messages while they are sitting in storage. The EFAIL vulnerabilities allow HTTP formatted messages to be exposed in cleartext by attacking a few weaknesses. Enter Office 365 Message Encryption (OME)
Luckily, Office 365 subscribers can improve the confidentiality of their email by implementing a feature that is already available to all E3 and higher subscriptions or by purchasing licenses for Azure Information Protection and assigning them to users that plan to send messages with confidential information in them. The following is a short How-To on enabling the Office 365 Message Encryption system and setting up rules to encrypt messages.
To enable and configure Office 365 Message Encryption for secure message delivery, the following steps are necessary:
- Subscribe to Azure Information Protection
- Activate OME
- Create Rules to Encrypt Messages
Details are below.
Subscribe to Azure Information Protection
The Azure Information Protection suite is an add-on subscription for Office 365 that will allow end users to perform a number of very useful functions with their email. It also integrates with SharePoint and OneDrive to act as a Data Loss Prevention tool. With AIP, users can flag messages or files so that they cannot be copied, forwarded, deleted, or a range of other common actions. For email, all messages that have specific classification flags or that meet specific requirements are encrypted and packaged into a locked HTML file that is sent to the recipient as an attachment. When the recipient receives the message, they have to register with Azure to be assigned a key to open the email. The key is tied to their email address and once registered the user can then open the HTML attachment and any future attachments without having to log in to anything.
Again, if you have E3 or higher subscriptions assigned to your users, they don’t need to also have AIP as well. However, each user that will be sending messages with confidential information in them will need either an AIP license or an E3/E5 license to do so. To subscribe to AIP, perform these steps:
- Open the Admin portal for Office 365
- Go to the Subscriptions list
- Click on “Add a Subscription” in the upper right corner
- Scroll down to find the Azure Information Protection
- Click the Buy Now option and follow the prompts or select the “Start Free Trial” option to get 25 licenses for 30 days to try it out before purchasing
- Wait about an hour for the service to be provisioned on your O365 tenant
Once provisioned, you can then move on to the next step in the process.
This part has changed very recently. Prior to early 2018, Activating Office 365 Message Encryption took a lot of Powershell work and waiting for it to function properly. MS changed the method for activating OME to streamline the process and make it easier to work with. Here’s what you have to do:
- Open the Settings option in the Admin Portal
- Select Services & Add-ins
- Find Azure Information Protection in the list of services and click on it
- Click the link that says, “Manage Microsoft Azure Information Protection settings” to open a new window
- Select the Activate button under “Rights Management is not activated”
- Choose Activate in the Window that pops up
Once this is done, you will be able to use AIP’s Client application to tag messages for right’s management in Outlook. There will also be new buttons and options in Outlook Web App that will allow you to encrypt messages. However, the simplest method for encrypting messages is to use an Exchange Online Transport Rule to automatically encrypt messages.
Create Rules to Encrypt Messages
Once OME is activated, you can encrypt messages using the built in Rights Management tools, but it’s much easier to use specific criteria encrypt automatically. Follow these steps:
- Open the Exchange Online Admin Portal
- Go to Mail Flow
- Select Rules
- Click on the + and select “Add a New Rule”
- In the window that appears, click “More Options” to switch to the advanced rule system
- The rule can be anything from Encrypting messages flagged as Confidential to tagging the subject line. My personal preference is to use subject/body tags. Make your rule look like the below image to use this technique:
When set up properly, the end user will receive a message telling them that they have received a secure message. The email will have an HTML file attached that they can open up. Once users register they can read email without any other steps required and it will be protected from outside view.