Microsoft can open and scan password-protected Zip archives in the cloud

In context: Protecting a Zip archive with a password can be a quick, easy way to secure sensitive or potentially dangerous data uploaded to a cloud storage server. However, when the cloud belongs to Microsoft, you cannot count on your files being safe from external tampering.

Microsoft will decrypt, open, and scan protected Zip archives uploaded to the company's cloud servers in search of potential computer threats. Security researcher Andrew Brandt recently discovered the issue while trying to share malware samples with other researchers through SharePoint.

One of the zipped archives Brandt used to move malware files around the cloud got flagged by Microsoft's online service as a security threat. Brandt protected the archive with the password "infected." He said that he shared the malware through a private cloud storage bucket and that now it is useless. The available space for sending colleagues samples is shrinking, Brandt said. He fears the issue will impact the ability of malware researchers to do their job.

Brandt said that Microsoft's policy to scan protected archives for dangerous threats is understandable for average users. However, this "nosy, get-inside-your-business" way of handling things is troublesome for security professionals.

Experts say that Microsoft's ability to scan inside password-protected files isn't related to any brute-force cracking techniques. The company is likely employing a list of commonly used passwords, or it's simply checking users' email messages for information about a password needed to decrypt a shared Zip archive. Redmond also seems to employ its forced scanning techniques on SharePoint and Microsoft 365 cloud accounts.

While Microsoft checks protected files without asking users' permission first, Google manages the issue seemingly less intrusively. The company says it doesn't scan password-protected archives, though Gmail can flag an encrypted attachment, and the Google Workspace service prevents sending protected Zip archives altogether.

ZipCrypto, the symmetric encryption scheme included in standard Zip specifications, is known to be seriously flawed. As the recently rediscovered invasive policy with Zip files highlights, trying to hide sensitive data within an encrypted archive doesn't provide any meaningful protection anymore. In contrast, other archive formats or encryption algorithms like AES-256 should be more robust even against Microsoft's "nosy" scanning attempts in the cloud.