Microsoft’s cloud services are scanning for malware by looking inside users’ zip files, even if they’re protected by a password, multiple users reported to Mastodon on Monday.
Compressing file contents into archived zip files has long been a threat tactic used by actors to hide malware spread via email or download. Eventually, some threat actors adapted by protecting their malicious zip files with a password that the end user had to type when converting the file back to its original form. Microsoft is taking this a step further by attempting to bypass password protection on zip files and, if successful, scanning them for malicious code.
While the analysis of password-protected Microsoft cloud environments is known to some people, it was a surprise to Andrew Brandt. The security researcher had long archived the malware inside password-protected zip files before sharing it with other researchers via SharePoint. On Monday, he took to Mastodon to report that Microsoft’s collaboration tool recently flagged a password-protected zip file as “infected.”
“While I completely understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling it can be a huge problem for people like me which should send their colleagues the malware sample. ,” Brandt wrote. “The available space to do this continues to shrink and this affects the ability of malware researchers to do their jobs.”
Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has several methods for scanning the contents of password-protected zip files and applies them not only to files stored in SharePoint but to all 365 cloud services. One way is to get any possible passwords from the email bodies or the file name itself. Another is to test the file to see if it is protected by one of the passwords in a list.
“If you send yourself to something and type something like ‘ZIP password is Soph0s’, ZIP up EICAR and ZIP password it with Soph0s, it will find (the) password, get a search (and feed MS detection),” he wrote.
Brandt said that last year Microsoft’s OneDrive started backing up malicious files he stored in one of his Windows folders after creating an exception (ie, permission listing) in his endpoint security tools. . He later discovered that once the files went to OneDrive, they were deleted from his laptop hard drive and detected malware in his OneDrive account.
“I lost the whole bunch,” he said.
Brandt then began archiving the malicious files in password-protected “infected” zip files. Until last week, he said, SharePoint had not flagged the files. Now they are.
Microsoft representatives acknowledged receiving an email asking about password protection bypass practices for files stored in its cloud services. The company did not follow up on the response.
A Google representative said the company does not scan password-protected zip files, although Gmail flags them when users receive such a file. My work account managed by Google Workspace also prevents me from sending a password-protected zip.
Practice shows the fine line online services always walk when trying to protect end users from common threats while also respecting privacy. As Brandt says, actively cracking a password-protected zip file feels invasive. At the same time, this practice almost certainly prevented many users from falling victim to social engineering attacks that attempted to infect their computers.
One more thing readers should keep in mind: password-protected zip files provide little assurance that the contents of the archives are unreadable. As Beaumont says, ZipCrypto, the default way of encrypting zip files in Windows, is not important to override. A more reliable way is to use an AES-256 encryptor built into many archive programs to create 7z files.
