According to Ars Technica*, Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday.
Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.
While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password “infected.” “While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,” Brandt wrote. “The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.”
Users often require every helping hand they are offered and although this may seem intrusive by Microsoft, it can help with the reduction in malware being conveyed with this method. Threat actors have long used Zip files to send to their victims who are often unaware of the dangers of simply opening it up. The privacy versus security debate is stronger than ever and such a move to scan zipped files could affect the great work malware analysts do. There are, however, alternative ways how researchers can exchange their malware samples. Therefore the greater implications of helping keep users more secure with minimal impact is a step in the right direction.
*ESET does not bear any responsibility for the accuracy of this information.
ESET Ireland 