Skip to main content

Microsoft scanning password-protected Zip files for malware

· 2 min read

Earlier this month I came across an article covering a recent development in malware scanning in MS365.

While putting a file in a password-protected Zip archive has been a traditional method of bypassing malware filtering (often with good reason), the changes in how Microsoft scans files traversing their services has made this no longer reliable.

Current state

As per the linked article, password-protected Zip archives sent through Microsoft online services will be subject to attempted extraction, with password guesses based on any keywords in the message containing the file as well as an existing keyword list.

This cleverly subverts the standard method of attaching a password-protected Zip file to an email and sending a message like "Zip file password is \<password>".

Reactions

As can be expected, the security professionals that discovered the issue clearly consider this to be a case of Microsoft being invasive and explicitly doing what the user does not want.

As far as user reactions, that remains to be seen, though users do not normally intentionally email malware files in password-protected Zip files.

Opinion

Decision by Microsoft is neither entirely right nor wrong, it is a security tradeoff.

The benefit is clearly that users are protected from malware that an attacker attempted to hide from scanners - i.e. the "file is attached, please open with this password" malicious email.

Conversely, security researchers jobs are made more difficult and there is an argument to be made that these actions run counter to these users' wishes.

As a matter of opinion, I agree with Microsoft's stance in this case, generally because it's perhaps better to give a little more protection to the millions of users at the price of inconvenience of thousands of security researchers who still have multiple ways to continue to collaborate.