Microsoft has quietly added the ability to scan password-protected ZIP files for malware and viruses to its SharePoint Online platform. The new feature was first discovered by Andrew Brandt, a Principal Security Researcher at Sophos. This has raised some privacy and security concerns among users because Microsoft is accessing password-protected content.
On Infosec, Brandt said that he was able to get his malware-containing password-encrypted files scanned by Microsoft 365′s virus detection engine. He said that he was “surprised” to find that SharePoint Online now has the ability to scan inside of password-protected zip archives. Brandt also said that Microsoft's OneDrive service had previously backed up and deleted some malicious files from his laptop hard drive after he created an exception in his endpoint security tools.
Microsoft has not officially commented on the issue, but it is likely that the company is scanning password-protected ZIP files to prevent malware from spreading through its cloud services. Compressing file contents into archived zip files has long been a tactic used by threat actors to conceal malware from email or download filters. Some threat actors also use passwords to protect their malicious zip files from being detected by antivirus software.
Microsoft may be trying to one-up this move by attempting to bypass password protection and scan zip files for malicious code. This could be seen as a proactive measure to protect its cloud users from potential computer threats.
While Microsoft's policy may be understandable for average users who may not be aware of the risks of opening password-protected zip files, it may also pose some privacy and security problems for other users, especially malware researchers who need to share and analyze malicious files with their colleagues.
Is This a Privacy and Security Breach?
Brandt said that this kind of “nosy, get-inside-your-business” way of handling things is going to become a big problem for people like him who need to send their colleague's malware samples. He adds that the available space for doing this keeps shrinking and will impact malware researchers' ability to do their job.
Some users may also wonder what else Microsoft can access and scan in their cloud accounts without their permission or knowledge. They may question how secure and private their data is in Microsoft's cloud services, especially if they use passwords to protect their sensitive or personal files.
The new feature is enabled by default and can be disabled in the SharePoint Online settings. SharePoint Online will scan all uploaded files, including password-protected ZIP files, for malware and viruses when enabled. If a file is found to be malicious, it will not be uploaded to SharePoint Online.
What is interesting is Microsoft has not updated its virus-detection automatic defaults for SharePoint Online. That documentation explains:
“The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. All file types are not automatically scanned. Heuristics determine the files to scan.”