A European cyber security company, With Secure, recently posted its findings on a flaw in the encryption method used in the local installation version of Microsoft Office 365.

Office Message Encryption (OME) works with Electronic Codebook (ECB). A party attempting to decrypt Office encrypted messages (which are sent as email attachments), may be able to determine the content by detecting where certain blocks of text, such as confidentiality footers or headings, repeat in multiple messages. The structure will be apparent even to a party that doesn't have the key for the encrypted text. ECB will encrypt repeating blocks of text in the same way. As stated in NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation, "in the ECB mode, under a given key, any given plaintext block always gets encrypted to the same ciphertext block. "

Unlike a more secure encryption method like Cipher Block Chaining (CBC) ECB does not use an initialization vector, a random factor which prevents blocks of identical plaintext (unencrypted text) from having the same encryption. This diagram on the Sophos cyber security blog, demonstrates the problem with ECB:

With Secure's post points out that a 2021 Microsoft FIPS (Federal Information Processing Standard) Compliance post [made to comply with the Information Technology Management Reform Act of 1996's encryption requirements] states that, "Legacy versions of Office (2010) require AES 128 ECB, and Office docs are still protected in this manner by Office apps.".

So apparently in order to avoid trouble with users running older versions of MS Office being unable to decrypt messages encrypted with CBC or another encryption method, Microsoft will continue to use the weaker ECB method.