Ars Technica reported several users on Mastodon, including cybersecurity researchers, confirmed that Microsoft’s antivirus program had started scanning .ZIP archives for malicious content, even those protected by a password.
Password-protected .ZIP archives are one of the most popular tactics among cybercriminals looking to deploy malware via email, as email security services rarely flag them.
The publication claims that the practice was “well-known to some people”, but came as a surprise to others. Cybersecurity researcher Andrew Brandt, for example, wasn’t too thrilled about the idea, as it made it difficult for him to share malware with his fellow researchers through SharePoint.
"While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,” Brandt wrote. “The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.”
Another researcher, Kevin Beaumont, said the company scans files not just stored in SharePoint, but everywhere in its Microsoft 365 cloud services, adding that there are multiple methods of peeking into password-protected archives. One way, it seems, is to scan the contents of the email itself, for potential passwords. Sometimes, people mailing .ZIP archives to one another will share the password in the body of the email.
“If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find,” he wrote.
While this might come as a surprise to some people, Ars Technica reminds that password-protected .ZIP files “provide minimal assurance” that an unauthorized third-party will read the contents. “The default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files,” the report concludes.
- Here's our list of the best endpoint protection services right now
Via: Ars Technica
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.