Microsoft’s cloud service looks inside users’ zip files and scans them for malware, even when they’re password-protected, several users reported on Mastodon on Monday.
Compressing file contents into archived zip files is a tactic that threat actors have long used to hide malware spread through emails and downloads. Eventually, some attackers adapted by protecting the files with a password that the end user would have to enter when converting the malicious zip file back to its original format. Microsoft is taking this move a step further by bypassing password protection on zip files and scanning them for malicious code if successful.
The analysis of password protection in Microsoft cloud environments is familiar to some, but it was a surprise to Andrew Brandt. This security researcher has archived malware in password-protected zip files before exchanging it with other researchers through SharePoint. On Monday, he reported on Mastodon that Microsoft’s collaboration tool recently flagged a zip file that was protected with the password “infected.”
“I fully understand that someone other than a malware analyst would do this, but this kind of nosy, inside-the-business approach to dealing with this problem requires sending a malware sample to a colleague. It will be a big problem for someone like me who has brant wrote. “The space available to do this continues to shrink, impacting the ability of malware researchers to do their jobs.”
Fellow researcher Kevin Beaumont also joined the discussion, saying that Microsoft has multiple methods for scanning the contents of password-protected zip files, not just files stored in SharePoint, but all of them. said they also use those methods for their 365 cloud services. One way is to extract the potential password from the body of the email or the name of the file itself. Another is to test the file to see if it is protected with one of the passwords in the list.
“Send yourself an email, type something like ‘ZIP password is Soph0s’, ZIP EICAR, set ZIP password on Soph0s, password is searched, extracted and searched ( and provides MS detection),” he wrote.
Brandt said last year Microsoft’s OneDrive began backing up malicious files it had stored in one of its Windows folders after creating an exception (i.e. allow list) in the company’s endpoint security tool. . Later, when the file was sent to OneDrive, he discovered it had been erased from the laptop’s hard drive and detected as malware in his OneDrive account.
“I lost everything,” he said.
Brandt then began archiving the malicious files in a password-protected zip file called “infected.” He said SharePoint had not flagged the file until last week. Now it is.
A Microsoft representative confirmed that it received an email asking about attempts to bypass password protection for files stored on cloud services. The company did not immediately respond.
A Google representative said the company doesn’t scan password-protected zip files, but Gmail will issue a warning if a user receives such a file. Work accounts managed by Google Workspace also failed to send password-protected zips.
This practice shows that online services often walk a fine line when trying to protect end users from common threats while respecting privacy. As Brandt points out, actively cracking a password-protected zip file feels invasive. At the same time, this practice almost certainly prevents large numbers of users from falling prey to social engineering attacks that attempt to infect their computers.
Another thing readers should keep in mind is that a password-protected zip file is a minimal guarantee that the contents inside the archive cannot be read. As Beaumont pointed out, ZipCrypto, the default method for encrypting zip files on Windows, easy to override. A more reliable method is to use the AES-256 encryption feature built into many archive programs when creating 7z files.