Mystery: How does Microsoft manage to scan users’ password-protected files?

Photo: Giktime

Imagine a case where you collect some files, bundle them in a ZIP or RAR file protected by a password and upload it to some cloud service, when you “know” that your files are more or less protected. But then you discover that your “protected” file is not so protected.

This is what happened to security researcher Andrew Brandt, whose job is to test vulnerabilities in depth. In a post he published on Mastodon (the network that wants to compete with Twitter), he says that one of these files he transferred to colleagues through Microsoft’s SharePoint platform was labeled as malicious even though it was locked behind a password.

This is how Brand realized that Microsoft could peek into the secure files of users without notifying them in advance, trying to find vulnerabilities. “This morning I discovered a number of password protected ZIP files have been marked as ‘damaged’ which significantly limits what I can do with them – they are currently unusable,” wrote Brandt.

According to him, this is a completely understandable decision on the part of Microsoft – which wants to make sure that malicious files are not distributed through its cloud platforms, but in his opinion it is suitable for ordinary users and not for security researchers: “This nosy way, which goes straight to your guts, is going to be extremely problematic for people like me who need to send samples of harming colleagues”.

But the big question is not whether Microsoft is snooping in the file, but how did it even discover the password to his file? According to a security researcher who responded to Brandt named Kevin Beaumont it’s not very complicated. According to him, Microsoft has a list of popular passwords with which it tries to open your password-protected files to see if they contain anything harmful. Because Brandt used “infected” – a relatively well-known password that security researchers use for malicious Zip files – he was caught by Microsoft.

Although the first method for cracking the file passwords by Microsoft is relatively easy and logical, Beaumont claims that the technology giant uses another method – and one that you probably won’t like. “They also remove passwords from the body of the email,” he noted in response to Brandt. Beaumont emphasized that Microsoft does not stop at scanning files in SharePoint through which Brandt transferred his files, and its system also ran on files stored in 365 – its cloud service for private and business users as well. In other words Microsoft is doing Brute Force.

Despite requests from several media outlets, Microsoft did not respond to the researchers’ claims.

It is important to note that unlike Microsoft, a spokesperson for Google said that the company does not scan password-protected ZIP files. However, the company’s system will usually mark them as suspicious as soon as you receive them and will not allow them to be emailed to other users.