Microsoft is Caught Scanning Password-Protected Zip Files on SharePoint Online


Microsoft has been caught scanning for malware in password-protected zip files stored on SharePoint Online. Andrew Brandt, a security researcher who uses Microsoft’s cloud services to save copies of malware in password-protected zip files shared his surprise after Microsoft had flagged some of his files that had been uploaded into a SharePoint directory as malware. 

In a Mastodon post that summarized his findings, Brandt said that he “totally understand doing this for anyone other than a malware analyst,” but added that “this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples.”

For security researchers, using cloud services to back up and share malware in protected files is a pretty common practice. Brandt also said in the Mastodon thread that he started to keep malware in passworded zips last year after the OneDrive app on his work laptop decided to back up his files, then deleted them from both his hard drive and the cloud after they had been flagged as malware.  

How can Microsoft scan password-protected zip files?

While Microsoft has good reasons to scan files stored on its cloud services for malware, doing so on password-protected files may go a step too far for some customers. “The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs,” Brandt said. 

Kevin Beaumont, another security researcher (and ex-Microsoft employee) chimed in in the thread to explain how Microsoft manages to see what’s inside password-protected files on its cloud services. According to Beaumont, Microsoft “has a password list it runs through files,” and Brandt used the easy-to-guess “infected” password on his protected zip files. Beaumont added that Microsoft also extracts passwords from email bodies. 

Ars Technica reached out to Microsoft to ask how the company proceeds to see what’s inside password-protected files on its cloud services, but the company didn’t respond. It’s not exactly clear if Microsoft now uses more advanced methods to crack passwords than the ones Beaumont mentioned, but some clarity would be welcome. In comparison, a Google spokesperson did confirm to Ars Technica that the company doesn’t scan password-protected zip files, though Gmail does flag them in emails.