Office 365..? how Microsoft handed the NSA access to encrypted messages

Matt Baldwin baldwinmathew at
Fri Jul 12 20:26:20 UTC 2013

I should also note that even if the stores are on an encrypted LUN you are
still exposed to impersonation and journaling.


On Fri, Jul 12, 2013 at 1:25 PM, Matt Baldwin <baldwinmathew at>wrote:

> While that would secure the connections from snooping if you're mailboxes
> are on Office 365 and those mailbox stores do not exits on an encrypted LUN
> then a service can easily read the Exchange database; anyone with server
> access can read mail across all mailboxes. In fact, Microsoft supports this
> type of setup with impersonation, e.g. a global user that can query any
> mailbox it has permissions to within Exchange. This is how some EWS
> integrated applications work. It wouldn't be that far fetched for the NSA
> to incorporate the same type of query to monitor the mailboxes -- even
> subscribing to change notifications so it only queries and collects when a
> new mail item has arrived. Additionally, Office 365 can simply create a
> journal rule and have all inbound / outbound mail journal to a location
> that makes it easier for snoops to look through the messages, e.g. an
> external SMTP endpoint, all without the end customers' knowledge.
> If anyone has any questions on Exchange they, too, can contact me off
> list.
> Just my 2-cents.
> -matt
> On Fri, Jul 12, 2013 at 1:04 PM, Nick Khamis <symack at> wrote:
>> We are currently working on something right now where all connections
>> are doing over an encrypted vpn. We are bringing SIP, email, search,
>> and cloud to the tunnel.
>> You can contact me off list if you would like to know more.
>> Nick Khamis

More information about the NANOG mailing list