HomeWinBuzzer NewsMicrosoft Is Scanning for SharePoint Online Malware in Password-Protected ZIP Files

Microsoft Is Scanning for SharePoint Online Malware in Password-Protected ZIP Files

Microsoft is now scanning password-protected ZIP files without permission to look for malware risks on SharePoint Online.


has quietly added the ability to scan password-protected ZIP files for malware and viruses to its platform. The new feature was first discovered by Andrew Brandt, a Principal Security Researcher at Sophos. This has raised some privacy and security concerns among users because Microsoft is accessing password-protected content.

On Infosec, Brandt said that he was able to get his malware-containing password-encrypted files scanned by Microsoft 365′s virus detection engine. He said that he was “surprised” to find that SharePoint Online now has the ability to scan inside of password-protected zip archives. Brandt also said that Microsoft's OneDrive service had previously backed up and deleted some malicious files from his laptop hard drive after he created an exception in his endpoint security tools.

Microsoft has not officially commented on the issue, but it is likely that the company is scanning password-protected ZIP files to prevent malware from spreading through its cloud services. Compressing file contents into archived zip files has long been a tactic used by threat actors to conceal malware from email or download filters. Some threat actors also use to protect their malicious zip files from being detected by antivirus software.

Microsoft may be trying to one-up this move by attempting to bypass password protection and scan zip files for malicious code. This could be seen as a proactive measure to protect its cloud users from potential computer threats.

While Microsoft's policy may be understandable for average users who may not be aware of the risks of opening password-protected zip files, it may also pose some privacy and security problems for other users, especially malware researchers who need to share and analyze malicious files with their colleagues.

Is This a Privacy and Security Breach?

Brandt said that this kind of “nosy, get-inside-your-business” way of handling things is going to become a big problem for people like him who need to send their colleague's malware samples. He adds that the available space for doing this keeps shrinking and will impact malware researchers' ability to do their job.

Some users may also wonder what else Microsoft can access and scan in their cloud accounts without their permission or knowledge. They may question how secure and private their data is in Microsoft's cloud services, especially if they use passwords to protect their sensitive or personal files.

The new feature is enabled by default and can be disabled in the SharePoint Online settings. SharePoint Online will scan all uploaded files, including password-protected ZIP files, for malware and viruses when enabled. If a file is found to be malicious, it will not be uploaded to SharePoint Online.

What is interesting is Microsoft has not updated its virus-detection automatic defaults for SharePoint Online. That documentation explains:

“The virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. All file types are not automatically scanned. Heuristics determine the files to scan.”

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News