Symantec Encryption Desktop may encrypt and send email to unintended recipients due to mail configuration within Active Directory\Exchange environment, and unintended recipients may be sent emails without including them in the TO, CC, or BCC fields.

Environment:

• Symantec Encryption Desktop client is used for Email Encryption.
• Symantec Encryption Management Server (SEMS) used to manage client and mail policies.
• Directory Synchronization is being used on Symantec Encryption Management Server to communicate with Active Directory.
• MAPI is typically being used within an Exchange environment.
• Active Directory (AD) Security Groups  or Distribution Lists (DLs) make use of the Email field and list actual end user's email addresses.

If the above environment variables are at play, whenever Symantec Encryption Desktop sends to one of these DLs, upon expansion, all members of the list will be sent encrypted emails (if keys are available), as well as whoever is listed in the Email field of the DL.

In another scenario, if UserA and UserB are added to an AD Security Group, and UserB's actual email address is added to the Email field of the Security Group or DL, when UserC sends an email to UserB, UserA and UserB may receive the email, even though UserC sent only to UserB and not to the DL or Security Group.  To prevent this behavior from occurring, please ensure end user's email addresses are not used in the Email field of Security Groups or DLs in AD.

In an Exchange Environment, Security Groups and Distribution Lists are used to group multiple users.  Without Symantec Encryption Desktop, Distribution Lists are expanded on Exchange. 

Because this is too late for end-to-end encryption to find the keys and to encrypt, Symantec Encryption Desktop has logic to ask Symantec Encryption Management Server if an email address is a DL.

SEMS Mail policy then has a rule that explicitly performs DL expansion.  When the Symantec Encryption Desktop client asks SEMS for a DL expansion, SEMS subsequently asks Active Directory to see what addresses are found. 

Because of this, if Directory Synchronization is enabled, SEMS will then pass on the expansion list to the Symantec Encryption Desktop client and will in turn send encrypted email to all the recipients part of the list, as well as users who may be entered in the Email field of the DL or Security Group, even if an email was not sent to the DL specifically.

Although Symantec Encryption Desktop will attempt to find keys for any recipient in the To, CC, or BCC fields of the email, only those recipients who have keys will receive encrypted emails. 

Symantec Encryption Desktop does not determine who receives the email, ultimately, as part of the DL expansion, AD makes available all additional recipients who should receive emails, as part of a DL or Security Group expansion.  Whether or not the email is encrypted depends on if a key is then found on a Keyserver, or Keyring, locally, or remotely.

Note: There may be other unknown scenarios where policies associated to email addresses in Active Directory\Exchange may cause an email to be encrypted to unintended recipients.  If these scenarios are encountered, please reach out to Symantec Support who can help troubleshoot the issue as it is happening. If a scenario like this is happening, please do not make any changes to the environment to fix which could further prevent analysis of mail policies until an explanation can be found.  Making changes to the environment may alter the behavior and stop the behavior from occurring making it difficult to ascertain root-cause.

Etrack: 2474366, 3937496