Office 365..? how Microsoft handed the NSA access to encrypted messages

Matt Baldwin baldwinmathew at
Fri Jul 12 20:25:28 UTC 2013

While that would secure the connections from snooping if you're mailboxes
are on Office 365 and those mailbox stores do not exits on an encrypted LUN
then a service can easily read the Exchange database; anyone with server
access can read mail across all mailboxes. In fact, Microsoft supports this
type of setup with impersonation, e.g. a global user that can query any
mailbox it has permissions to within Exchange. This is how some EWS
integrated applications work. It wouldn't be that far fetched for the NSA
to incorporate the same type of query to monitor the mailboxes -- even
subscribing to change notifications so it only queries and collects when a
new mail item has arrived. Additionally, Office 365 can simply create a
journal rule and have all inbound / outbound mail journal to a location
that makes it easier for snoops to look through the messages, e.g. an
external SMTP endpoint, all without the end customers' knowledge.

If anyone has any questions on Exchange they, too, can contact me off list.

Just my 2-cents.


On Fri, Jul 12, 2013 at 1:04 PM, Nick Khamis <symack at> wrote:

> We are currently working on something right now where all connections
> are doing over an encrypted vpn. We are bringing SIP, email, search,
> and cloud to the tunnel.
> You can contact me off list if you would like to know more.
> Nick Khamis

More information about the NANOG mailing list