Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

clues as to whether a received email in mailbox was encrypted in transit

We have been asked to review an employees mailbox for an internal disciplinary investigation. Our exchange server team have placed the mailbox on a litigation hold, and provided a copy via a PST file using New-MailboxExportRequest. The theme of the review is to get an idea what they have been sending/receiving. We have a company policy that for any sensitive emails, they must use an add-on for outlook (egress) which encrypts the content. They are also expected if requesting external parties to email sensitive information into the company, that they also use an encrypted email solution. I can see in their mailbox multiple examples of sensitive emails coming into this users account from external addresses, but I wondered if there was any easy way (perhaps via headers or similar) to determine if that email was encrypted when it was sent in? I appreciate there are probably thousands of services and client add-ons which can encrypt email, I just didn't know if there would be any sort of universal clue in the email itself to determine if it was sent encrypted or "plain text" from their mail server, over the internet, and into the users mailbox on our exchange server.
ASKER CERTIFIED SOLUTION
Avatar of Amit
Amit
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Amit's answer is correct for your question.

And... If you have a business requirement to send encrypted email, likely you know what recipients should receive encrypted email.

If I were in this situation, I would not leave encryption up to individuals.

I'd track target recipients in my outgoing MTA + encrypt either the entire message or attachments on the fly.

You will never have 100% compliance... likely never even get close... if you place this burden/responsibility on individuals.
I am of the opinion that sensitive data should be encrypted using s/mime or pgp  This should be enforced by the organization.. It is up to the email servers to encrypt while in transit.

You instead should implement Data Loss Prevention at the corporate level
https://docs.microsoft.com/en-ca/office365/securitycompliance/data-loss-prevention-policies

I just didn't know if there would be any sort of universal clue in the email itself to determine if it was sent encrypted or "plain text Can you open the message and view the contents without having the users private key? if so then it is not encrypted.
Avatar of Pau Lo
Pau Lo

ASKER

Re David's point I can open the content so that must mean they weren't encrypted. Interestingly I can see TLS in some rows of the headers, but I am wondering if that part of the mail flow was emails being passed from our edge servers to the mailbox db servers.
Just to add one more point, if are you using product like Voltage with any DLP solution, that is a different game altogether.
Avatar of Pau Lo

ASKER

>And... If you have a business requirement to send encrypted email, likely you know what recipients should receive encrypted email.

not easily as its any recipient of sensitive information sent by our employees. Its not just a small set list of recipients unfortunately.
Avatar of Pau Lo

ASKER

Looking into this a bit further (fairly new to message headers) but when you use a 3rd party parser to analyse message headers, it shows approx 8-10 'steps' in the mail flow (pleas excuse me if mail flow is not the correct terminology). What would/could the various steps in the flow represent. I appreciate it may be different for all cases, but if say on both sides of the conversation they have an exchange server setup, I am trying to get a really basic grasp on what each row of the header will represent. In this case, some of the rows mention TLS, e.g. midway through the list, but the initial ones give no mention of TLS. In other cases it just lists 'Microsoft SMTP Server (TLS)', whereas others mention more detail in the with column, e.g. Microsoft SMTP Server (version=TLS1_2, cipher=TLS. The first hop is obviously the first step in the process, and the final hop is the mail coming into a mailbox on our MB database server. Its just the rows in between and why some would contain TLS mention and others not which I want to learn a little better.
Avatar of Pau Lo

ASKER

In fact as a test I just emailed my corporate account from a hotmail.com account, and then parsed the headers, and a number of steps bar hop 1 (in fact hops 2-6) contain "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_xxxx" - so does that mean even free webmail services like outlook.com/hotmail.com now use TLS and therefore encrypt email? Everything I read was by defaut email was not encrypted, but I am wondering if that is actually true if even free webmail services seemingly send mail encrypted these days..
a lot of email is encrypted in transit (TLS) but once received it is plain text and also plain text on the originating server.
TLS is normally set to soft fail. Also the encryption algorithm is not forced. Each site goes down their list of acceptable algorithms and once a match is made that is what they use.  if site A prefers DES/64 and that is in your list of acceptable then that is what is used. If there is NO matching algorithm then it could soft fail to no encryption.

My opinion is that PII leaving your organization should be encrypted from the source sender and decrypted by the recipient.