2

I am following the forum thread: Azure Information Protection | How to decrypt .EMLs coming from EWS API?

I am interested in knowing the steps to decrypt an encrypted office 365 email. Can you please comment on the following:

  1. As you mentioned that one has to convert the email to .msg file, so my question is, after writing the email (i think Mime stream) to msg file, would the file persists the encryption?

  2. What is the role of .rpmsg file in decryption, which is the attachment inside the encrypted emails, when we read the email using EWS api?

  3. I have explored MIP Protection and File Api. So to encrypt a file using SetLabel ,we need a Sensitivity Label (from Office 365 Compliance), I think we would have to use the same label to decrypt an email, using which, the email was encrypted. Again, would it be possible to get the label from converted .msg file?

  4. I could not find Inspect method\function in FileHandler object, which you mentioned in above mentioned forum link. Can you please suggest how to find that out?

So in summary, just wanted to know the steps to decrypt an encrypted email, using FileHandler.RemoveProtection() followed by FileHandler.CommitAsync().

Thanks

Laeeq Qazi
  • 43
  • 1
  • 6
  • Traditionally you do the research, then you put together some code. When you get stuck on the code, you can get help on StackOverflow! Where are you at with your code, and do you get an error that we can troubleshoot? – shadow2020 Apr 09 '20 at 17:58
  • Actually this (MIP SDK) is a new SDK\Api, so trying to understand how should I go ahead to write the code. I would surely post a code snippet, once I know what are the actual steps to decrypt the encrypted emails. Thanks – Laeeq Qazi Apr 09 '20 at 19:00

2 Answers2

3

There's a step that it's the sample application that ships with the SDK bins (https://aka.ms/mipsdkbins). We have a draft about ready to publish in docs, but I don't expect that to be available for a week or two.

If you're using C#, you can use this to enable the feature flag.

var customSettings = new List<KeyValuePair<string, string>>();
customSettings.Add(new KeyValuePair<string, string>("enable_msg_file_type", "true"));

// Create a FileEngineSettings object, then use that to add an engine to the profile.
var engineSettings = new FileEngineSettings("user1@tenant.com", "", "en-US");
engineSettings.Identity = new Identity("user1@tenant.com");

//set custom settings for the engine
engineSettings.CustomSettings = customSettings;

That will enable your application to decrypt MSG files and to use the Inspect functionality to decrypt message.rpmsg files to byte streams.

It's important to note that we don't directly support decryption of EML (MIME compliant) messages. You'd need to convert to MSG or decrypt the message.rpsmg file extracted from the MIME message.

To answer your questions:

  1. Yes. Convert EML to MSG and the encryption remains. You should be able to decrypt.
  2. Message.rpmsg is an encryption envelope that contains the plaintext mail body and all attachments. You can use the Inspect function to get the decrypted bytes and attachments. Keep in mind that attachments might also be encrypted and that you'll need to recursively decrypt on your own.
  3. You don't need the label information to decrypt the message. If you're referring to MSG files, you can use the FileHandler.RemoveProtection() function or GetDecryptedTemporaryFileAsync() (or the stream option).
  4. If you're using .NET, we didn't expose it in 1.5 (C++ only). We plan to release MIP SDK 1.6 in the next week and it will be available there.
Tom Moser
  • 748
  • 3
  • 5
  • Thanks Tom. Yes, I am using C#.Net wrapper for MIP.File SDK. I have used your provided sample, which encrypts a file using Sensitivity Label and File SDK, and also added functionality to decrypt the File. I would wait for MIP SDK 1.6 then, to explore the email decryption more. – Laeeq Qazi Apr 13 '20 at 19:56
  • 1
    You're welcome! I expect to have the build tomorrow and can hopefully release early next week. – Tom Moser Apr 14 '20 at 22:22
  • 1
    I am now able to decrypt the encrypted emails. Your comment greatly helped me, thanks. Here are the steps: 1. Download email from office365 to local machine (using Ews or Graph api). 2. Save the MimeContent of the email as .EML (I did this with Ews Api) 3. Use Redemption to convert the .EML file to .Msg file 4. Pass the .Msg file to MIP File handler, set output file also as a new .Msg file 5. Use FileHandler.RemoveProtection() function to decrypt the Email (represented by input .msg file) to output .msg file 6. Commit the changes using FileHandler.CommitAsync(options.OutputName) – Laeeq Qazi May 16 '20 at 22:24
  • I was also able to decrypt the email using handler.GetDecryptedTemporaryFileAsync(). The difference is, this method generates the ouput file inside 'bin\Debug\mip_data\mip\temp' folder. And yes, both ways, I didnt have to pass Sensitivity Label. Note, I used all the basic code from this sample: https://github.com/Azure-Samples/MipSdk-Dotnet-File-ServicePrincipalAuth – Laeeq Qazi May 16 '20 at 22:31
  • @LaeeqQazi When MIP.createMIPContext is called, I always get a Message=Unknown exception occurred in MipContext_CreateWithCustomFeatureSettings Exception. I already moved from Mac to Win to get the stuff to run, as the MIP SDK does not seem to support Linux. But as said, this is the message on Win. Do you have a working sample which is able to remove AIP protection? Thanks, Thomas – thomas Jun 11 '20 at 14:18
  • @thomas I am currently very busy, but would post the app link here, this weekend. I ran the MS sample without any issue on 2 machines, both Windows 10. I would suggest to install VS 2017 community edition on another machine, and test the MS sample there. – Laeeq Qazi Jun 12 '20 at 17:45
  • BTW, the app I created belongs to a company (I worked for as a freelancer), so not sure if they would allow me to post the app to community. Thanks – Laeeq Qazi Jun 12 '20 at 17:47
  • @TomMoser the decrypted message_v2.rpmsg seems to be in a Compound Document File format. Is there any documentation for this? – John C Oct 01 '20 at 06:54
  • @TomMoser In the SDK, the Inspect method returns a MsgInspector class. That class does not return the different body types of the rpmsg, it only gives the RTF version in the Body property and gives the Type as TXT. The MsgAttachmentData class does not expose the ContentId property either, so there is not way to determine if the attachment is a inline attachment or actual file attachment. – John C Oct 02 '20 at 13:26
  • 1
    The rpmsg file is defined in MS-OXORMMS: https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxormms/a121dda4-48f3-41f8-b12f-170f533038bb I'll need to check in with engineering on the 2nd question. – Tom Moser Oct 02 '20 at 22:42
  • After some review, I determined that we considered work to expose the body encoding/format, but never shipped it. This was largely because the API is intended to be used purely for text extraction and inspection for DLP and content inspection services. If you've got a different use case where having this detail is important, I'd love to have more details so we can justify the work to update these APIs. – Tom Moser Oct 05 '20 at 21:41
  • @TomMoser is this decryption possible with Java ? Thank you. – NinjaDev Feb 26 '21 at 20:36
  • Yes, the latest preview of the Java wrapper should be at parity with .NET. – Tom Moser Mar 10 '21 at 05:52
0

We are working on an eDiscovery solution for office365 emails, and have been waiting for code sample to decrypt an encrypted office 365 email. Its a show stopper for us, for our customers who use MIP|AIP protection for office 365 emails.

We also have almost same questions, until the sample is posted at samples page for MIP SDK: https://learn.microsoft.com/en-us/samples/browse/?products=azure&term=mip%20sdk

Thank you. David

David Johnson
  • 11
  • My answer has details. Once you enable the feature flag I mentioned, the code is exactly the same as decrypting any other type of file. – Tom Moser Apr 13 '20 at 17:11
  • I appreciate your detailed response @TomMoser, Thank you. We are using .Net wrapper for MIP SDK, so we would wait for next release of the SDK, and definitely would give it a try. – David Johnson Apr 14 '20 at 19:07