Security researchers have found that Microsoft is probably able to open and scan encrypted ZIP archives stored on Onedrive or Sharepoint - provided they were created using Windows. There is no official information from Microsoft on the subject.
It is a popular tool for cyber attacks via email: the attackers attach an encrypted ZIP file and security programs cannot scan the ZIP file. However, this does not seem to be the case for files created and encrypted under Windows.
Accidental discovery: ZIPs are decrypted
Some security researchers accidentally discovered that Microsoft might be able to open the encrypted ZIPs, scan them and delete them if they contain malware. The researchers emailed each other various malware samples for analysis and stored them on OneDrive. So reports it arstechnica. However, the ZIP files encrypted for security were deleted from OneDrive after a short time and the researchers didn't understand why.
It quickly became clear: Microsoft cloud services scan for malware by looking into users' ZIP files, even if they are password-protected. For security researcher Andrew, the analysis of password-protected files in Microsoft cloud environments came as a surprise. The security researcher archived malware in password-protected ZIP files for a long time before sharing it with other researchers via SharePoint.
Some of the discovery was already known
During a discussion on Mastodon, it emerged that fellow researcher Kevin Beaumont said that Microsoft has multiple methods for scanning the contents of password-protected ZIP files and uses them not just for files stored in SharePoint, but for all 365 cloud services. One way is to extract possible passwords from the body of an email or the name of the file itself. Another option is to test the file to see if it is protected with one of an existing list of passwords.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
"If you email something to yourself and type something like 'ZIP password is Soph0s', zip EICAR and save it as a ZIP password with Soph0s, the password is found, extracted and submitted to MS detection," he wrote . Kevin Baumont declared a directory with zipped and encrypted malware files in his endpoint software as an exception. As soon as the ZIPs came to Onedrive, they were deleted in the cloud and on the laptop. So he lost many important analysis samples. After that, he encrypted and filed many ZIPs with a new password. These were then stored on Onedrive or Sharepoint for months. Suddenly this file was also marked as malware and deleted
Does Google do it differently?
arstechnica asked a Google representative how it handles the ZIP files: the company said it doesn't scan password-protected ZIP files. However, Gmail marked the ZIPs when users received such a file. Furthermore, one researcher stated that his Google Workspace-managed work account prevented him from sending a tagged, password-protected ZIP file.
Sure, cloud services and companies want to protect users from malware in encrypted archives. At the same time, however, they have an easy way for any institution or government to quickly access the contents of the encrypted ZIPs. The researchers have now switched to 256-bit encryption, such as that provided by the free tool 7Zip, provided you write a “7z” file instead of a .ZIP file. The researchers only want to use the Windows ZIP tool as a pure compression tool.
Editor/sel