Scanning Microsoft cloud services for malware by peeking into users’ zip files, even if they are password protected, several users reported on Mastodon on Monday.
Compressing file contents in archived zip files has long been a tactic used by threat actors to hide the spread of malware via email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password that the end user must type when converting the file to its original form. Microsoft takes this step a step further by attempting to bypass password protection in zip files and, if successful, scanning them for malicious code.
While the analysis of password-protected Microsoft cloud environments is known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware in password-protected zip files before exchanging it with other researchers via SharePoint. On Monday, he went to Mastodon to report that the Microsoft collaboration tool recently flagged a zip file, which was password-protected as “infected.”
“While I totally understand doing this for someone other than a malware analyst, this nosy way of getting into your company is going to be a major problem for people like me who need to send malware samples to their colleagues,” Brandt wrote. “The space available to do this is shrinking and it will impact the ability of malware researchers to do their jobs.”
Fellow researcher Kevin Beaumont joined the discussion, saying that Microsoft has multiple methods of scanning the contents of password-protected zip files and uses them not just for files stored in SharePoint, but for all 365 cloud services. One way is to extract any passwords from the email or the name of the file itself. Another is by testing the file to see if it is protected with one of the passwords in a list.
“If you email yourself and type something like ‘ZIP password is Soph0s’, ZIP up EICAR and ZIP password with Soph0s, it will find, extract and find (and feed MS detection) the password”, he wrote.
Brandt said that last year Microsoft’s OneDrive started backing up malicious files it stored in one of its Windows folders after creating an exception (i.e. allow list) in its endpoint security tools. He later discovered that once the files landed on OneDrive, they were erased from his laptop’s hard drive and detected as malware in his OneDrive account.
“I lost the whole gang,” he said.
Brandt then began archiving malicious files in zip files protected with the password “infected”. Until last week, he said, SharePoint didn’t tag the files. Now they are.
Microsoft representatives confirmed receipt of an email asking about practices of bypassing password protection of files stored in their cloud services. The company did not follow up with an answer.
A Google representative said the company doesn’t scan password-protected zip files, though Gmail does flag them when users receive such a file. My work account managed by Google Workspace also prevented me from sending a password-protected zip file.
The practice illustrates the thin line that online services often walk when trying to protect end users from common threats while respecting privacy. As Brandt points out, actively cracking a password-protected zip file feels invasive. At the same time, this practice has almost certainly prevented large numbers of users from falling prey to social engineering attacks attempting to infect their computers.
Another thing readers should remember: password-protected zip files provide minimal assurance that the contents in the archives cannot be read. As Beaumont pointed out, ZipCrypto, the default method of encrypting zip files in Windows, is easy to override. A more reliable way is to use an AES-256 encryptor built into many archive programs when creating 7z files.