Microsoft is searching within your secure folders for malware, even if you have a password

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Microsoft has reportedly started scanning password-protected .ZIP archives for malware, and not everyone is happy about the decision.

Ars Technica reported several users on Mastodon, including cybersecurity researchers, confirmed that Microsoft’s antivirus program had started scanning .ZIP archives for malicious content, even those protected by a password. 

Password-protected .ZIP archives are one of the most popular tactics among cybercriminals looking to deploy malware via email, as email security services rarely flag them.

"Nosy practices"

The publication claims that the practice was “well-known to some people”, but came as a surprise to others. Cybersecurity researcher Andrew Brandt, for example, wasn’t too thrilled about the idea, as it made it difficult for him to share malware with his fellow researchers through SharePoint.

"While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,” Brandt wrote. “The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.”

Another researcher, Kevin Beaumont, said the company scans files not just stored in SharePoint, but everywhere in its Microsoft 365 cloud services, adding that there are multiple methods of peeking into password-protected archives. One way, it seems, is to scan the contents of the email itself, for potential passwords. Sometimes, people mailing .ZIP archives to one another will share the password in the body of the email.

“If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find,” he wrote.

While this might come as a surprise to some people, Ars Technica reminds that password-protected .ZIP files “provide minimal assurance” that an unauthorized third-party will read the contents. “The default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files,” the report concludes.

Via: Ars Technica

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.