Microsoft cloud services are scanning for malware by looking inside users’ zip files, even if they’re password-protected, several users reported on Mastodon on Monday.
Compressing file contents into archived zip files has long been a threat tactic used by actors to hide malware distributed via email or downloads. Finally, some threat actors have adapted malicious zip files by protecting them with a password that the end user must enter when converting the file to its original form. Microsoft improves this step by attempting to bypass password protection on zip files and scanning them for malicious code if successful.
While the analysis of password-protected Microsoft cloud environments is well known to some, it came as a surprise to Andrew Brandt. A security researcher has long archived malware in password-protected zip files before sharing it with other researchers via SharePoint. On Monday, he took to Mastodon and reported that the Microsoft collaboration tool had recently spotted an “infected” password-protected zip file.
“While I can totally understand doing this for anyone other than a malware analyst, this kind of pushy, in-your-face way of going about it is going to be a big problem for people like me who have to send malware samples to colleagues. ,” Brandt wrote. “The space available to do this just keeps shrinking, and that will affect the ability of malware researchers to do their jobs.”
Fellow researcher Kevin Beaumont joined the discussion, saying that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them across all 365 cloud services, not just files stored in SharePoint. One way to do this is to extract possible passwords from email bodies or the file itself. Another is to check if the file is protected by one of the passwords listed.
“If you mail something to yourself and write something like ‘Mail password is Soph0s’, EICAR and ZIP archive it with Soph0s, it will find, extract and find the password (and provide MS detection),” he wrote.
Last year, Microsoft’s OneDrive started backing up malicious files stored in one of its Windows folders after it triggered an exception in endpoint security tools (i.e. allow list), Brandt said. He later discovered that after the files were uploaded to OneDrive, they were deleted from the laptop’s hard drive and detected as malware in the OneDrive account.
“I lost the whole gang,” he said.
Brandt then proceeded to archive the malicious files in “infected” password-protected zip files. Until last week, he said, SharePoint didn’t save files. Now they are.
Microsoft representatives acknowledged receiving an email asking about their practices for bypassing password protection of files stored on cloud services. The company did not respond.
A Google representative said the company doesn’t scan password-protected zip files, although Gmail flags them when users receive one. My work account managed by Google Workspace also prevented me from sending a password-protected zip.
Experience shows that online services that respect privacy often act while trying to protect end users from common threats. As Brandt points out, actively cracking a password-protected zip file feels invasive. At the same time, this practice almost certainly prevented a large number of users from falling victim to social engineering attacks that attempted to infect their computers.
Another thing readers should keep in mind: password-protected zip files offer a minimal guarantee that the contents inside the archive are unreadable. As Beaumont points out, ZipCrypto is the default tool for encrypting zip files on Windows. It’s pointless to cancel. A more reliable way is to use the AES-256 encryption built into many archive programs when creating 7z files.