Recently Office 365 and Gmail introduced encrypted or confidential mode for email. This is not true encryption like PGP or S/MIME where two parties exchange keys and then proceed to send and receive email. Rather, the entire experience remains hosted at the originating email provider, and the receiver can access the “secured” message via a web link, which can be opened using a one time code, an SMS code or a login. In the same vain, they can reply via the same mechanism to the sender – with the entire experience hosted by Office 365 or Gmail.
Some concerns with this approach:
- Since all entire visual experience remains the same for most messages, it would be trivial for attackers to send phishing emails that looks identical to the real messages. With true encryption, this wouldn’t be an issue since the receiver would be able to verify the identity of the sender via keys exchanged prior to the email.
- Since the links to read the message go to the same domain (“confidential-mail.google.com“), it would be trivial for an attacker to register a look-alike domain (for example “confidentialmailgoogle.com” and “confidential-mail-google.com” are both unregistered). Again, not an issue with true encryption where the message is not hosted by the sender.
- If combined with a password-protected file, it would be possible for phishers and malware producers to host and spread their content via these types of messages without having the receiver being able to scan these files. With true encryption, there is a key exchange that takes place before.
- Since the real message content never travels through the email infrastructure, any existing controls that are in place to check and scan email will no longer apply. Organizations need to apply such controls on the web layer instead if the
Here is what it looks like by the receiver on Gmail (Office 365 screenshots coming):