An enterprise encryption app for Outlook is not so secure, say researchers

German security firm SEC Consult has told enterprise organizations not to use any product from a UK security firm due to flaws found in its email encryption application. 

SEC Consult says its “brief crash test” analysis of UK-based SecurEnvoy’s SecurMail application turned up seven “severe” vulnerabilities that it claims broke the core security promises that SecurEnvoy made to customers. 

“Several vulnerabilities in the SecurEnvoy SecurMail encrypted mail transfer solution allow an attacker to read other users’ encrypted e-mails and overwrite or delete e-mails stored in other users’ inboxes,” SEC Consult notes in its advisory. 

SecurEnvoy was acquired by UK investment firm The Shearwater Group last year for £20 million and is marketed as a multi-factor authentication vendor for organizations that use Microsoft Outlook, Office 365, Salesforce, Cisco and other platforms. The company has distributors in Europe, the US and Australia.  

SecurEnvoy released patches for the flaws at the beginning of March, just over three months after SEC Consult reported them to it. The UK firm also promptly responded to queries during the disclosure period, according to SEC Consult’s timeline of events.

Despite this, SEC Consult has advised customers against using any SecurEnvoy product in a production environment until the UK firm conducts a thorough security audit of its entire portfolio because of how quickly it found flaws in SecurMail. 

“We recommend not to use SecurEnvoy products (especially SecurMail) in a production environment until a comprehensive security audit has been performed and state of the art security mechanisms have been adopted,” writes SEC Consult. 

"Since these vulnerabilities were found during a very short time frame, SEC Consult believes that the product may contain a large number of other security vulnerabilities. As already several core security promises have been broken during this short crash test, no further tests were conducted," it added later. 

The German security firm highlights that the vulnerabilities contradict claims in SecurEnvoy’s marketing about its “revolutionary” answer to the obstacles users face when attempting to properly encrypt content in email clients such as Outlook. 

SecurEnvoy’s website states that: “Sending and receiving encrypted emails is not an easy or simple experience. Businesses rely on email with an increasing amount of sensitive data sent across their networks. A revolutionary approach that doesn’t suffer from the overheads of deployment and encryption management; just rock-solid security to give you 100% confidence in your business communications.”

One of the seven vulnerabilities SEC Consult reported to SecEnvoy concerned what it describes as “missing authentication and authorization” that would allow an attacker on a target’s network to carry out tasks that could be exploited in the multi-billion dollar fraud known as business email compromise (BEC).

“In order to send encrypted e-mails a client does not need to authenticate on the SecurEnvoy server,” writes SEC Consult. “Therefore anyone with network access to the server can arbitrarily send e-mails that appear to come from an arbitrary sender address. Moreover, an attacker with network access to the server can re-send previous communication to arbitrary recipients. This allows him/her to extract all e-mails stored on the server. An attacker could also modify arbitrary messages stored on the server.”

SEC Consult also found that intended recipients can read the content of email sent to other recipients. 

CSO Australia has asked SEC Consult and SecurEnvoy for additional details.