Security professionals have raised concerns that Microsoft SharePoint appears to be ‘breaking into files’ and scanning users’ password-protected ZIP archives.
The discovery was made by Andrew Brandt, a principal security researcher at Sophos, after he found that files containing malware for research purposes were scanned by Microsoft’s 365 virus detection software.
Brandt outlined his claims in a Mastodon thread, revealing that several password-protected ZIP files had been flagged as ‘malware detected’ by antivirus software.
Following the malware flag, Brandt noted that this “limits what I can do with those files - they are basically dead space now”.
“Apparently Microsoft SharePoint now has the ability to scan inside of password-protected ZIP archives,” he wrote.
“How do I know? Because I have a lot of ZIPs (encrypted with a password) that contain malware, and my typical method of sharing those is to upload those passworded ZIPs into a Sharepoint directory.
“This morning, I discovered that a couple of password-protected ZIPs are flagged as "Malware detected" which limits what I can do with those files - they are basically dead space now.”
The discovery sparked initial concerns that Microsoft is actively scanning password-protected files, raising concerns over security and privacy.
Defence in depth: Closing the gaps in Microsoft 365 security
Exploring the security challenges facing organisations with a reliance on Microsoft 365
One user suggested that the practice is a reason why they’re “moving away from MS cloud” and that it crosses “ethics boundaries”.
“There is a bit of an ethics boundary being crossed here when they are starting to just break into files and archives under the guise of ‘security’ (which may just be used as a facade for them).”
In a reply on the Mastodon thread, Brandt noted that SharePoint uses a “word list” to check and potentially flag the content of files.
Given the password was ‘infected’ - a common archive password used in the cyber security community - SharePoint appears to have flagged this particular file.
“[SharePoint] says it uses a word list,” he said. “The password was ‘infected’ which is not in the least bit secure, but I hadn’t seen it poking around inside of passworded ZIPs before now, and was under the impression it wouldn’t do that.”
Brandt added that while this practice is understandable from a generalist perspective, for malware analysts in particular it could prove inhibitive.
“While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,” he said.
“The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.”
File scanning practices
Although this has raised some concerns over the scanning of files, the practice is well-documented by Microsoft in an explainer for its built-in antivirus protection for SharePoint, OneDrive, and Microsoft Teams.
“The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed,” the explainer reads.
“All file types are not automatically scanned. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.”
So, Microsoft's scanner started detecting malware in password-protected ZIP archvies and people are losing their shit because they have no goddamn clue how anti-virus programs work.https://t.co/P0a5QFPrRXStrap in, kids, because I'm in a lecturing mood. Thread:May 16, 2023
In a Twitter thread reacting to the news, Dr. Vesselin Vladimirov Bontchev (@‘VessOnSecurity’) said the practice isn’t quite as concerning as it seems.
“Scanners have been doing this since the ‘90s,” he wrote. “I think McAfee’s scanner was the first to try the password ‘infected’ if it encountered an encrypted ZIP archive.”
Bontchev pointed out that the practice of ‘protecting’ a ZIP archive potentially containing malware has traditionally been a tactic to improve safety and prevent unknowing users from downloading malicious software.
“The idea here is not secrecy. The idea is safety. These archives with malware are (or at least were) often sent by email from one researcher to another,” he explained.
“It's easy to mistype someone's email address and we wanted to make sure that if some random person, other than the intended recipient, received the malware by mistake, they wouldn't infect themselves by accidentally running it.”
ITPro has approached Microsoft for comment on the matter.
