Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Microsoft is Caught Scanning Password-Protected Zip Files on SharePoint Online

Microsoft has been caught scanning for malware in password-protected zip files stored on SharePoint Online. Andrew Brandt, a security researcher who uses Microsoft’s cloud services to save copies of malware in password-protected zip files shared his surprise after Microsoft had flagged some of his files that had been uploaded into a SharePoint directory as malware.

In a Mastodon post that summarized his findings, Brandt said that he “totally understand doing this for anyone other than a malware analyst,” but added that “this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples.”

For security researchers, using cloud services to back up and share malware in protected files is a pretty common practice. Brandt also said in the Mastodon thread that he started to keep malware in passworded zips last year after the OneDrive app on his work laptop decided to back up his files, then deleted them from both his hard drive and the cloud after they had been flagged as malware.

How can Microsoft scan password-protected zip files?

While Microsoft has good reasons to scan files stored on its cloud services for malware, doing so on password-protected files may go a step too far for some customers. “The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs,” Brandt said.

Kevin Beaumont, another security researcher (and ex-Microsoft employee) chimed in in the thread to explain how Microsoft manages to see what’s inside password-protected files on its cloud services. According to Beaumont, Microsoft “has a password list it runs through files,” and Brandt used the easy-to-guess “infected” password on his protected zip files. Beaumont added that Microsoft also extracts passwords from email bodies.

Ars Technica reached out to Microsoft to ask how the company proceeds to see what’s inside password-protected files on its cloud services, but the company didn’t respond. It’s not exactly clear if Microsoft now uses more advanced methods to crack passwords than the ones Beaumont mentioned, but some clarity would be welcome. In comparison, a Google spokesperson did confirm to Ars Technica that the company doesn’t scan password-protected zip files, though Gmail does flag them in emails.