No, Microsoft SharePoint isn’t cracking users’ passwords

Microsoft SharePoint logo displayed on a smartphone and Microsoft logo in the background
(Image credit: Getty Images)

Security professionals have raised concerns that Microsoft SharePoint appears to be ‘breaking into files’ and scanning users’ password-protected ZIP archives. 

The discovery was made by Andrew Brandt, a principal security researcher at Sophos, after he found that files containing malware for research purposes were scanned by Microsoft’s 365 virus detection software. 

Brandt outlined his claims in a Mastodon thread, revealing that several password-protected ZIP files had been flagged as ‘malware detected’ by antivirus software

Following the malware flag, Brandt noted that this “limits what I can do with those files - they are basically dead space now”. 

“Apparently Microsoft SharePoint now has the ability to scan inside of password-protected ZIP archives,” he wrote. 

“How do I know? Because I have a lot of ZIPs (encrypted with a password) that contain malware, and my typical method of sharing those is to upload those passworded ZIPs into a Sharepoint directory.

“This morning, I discovered that a couple of password-protected ZIPs are flagged as "Malware detected" which limits what I can do with those files - they are basically dead space now.”

The discovery sparked initial concerns that Microsoft is actively scanning password-protected files, raising concerns over security and privacy. 

RELATED RESOURCE

Whitepaper cover with title over purple shaded image of female worker peering over the top of an office cubicle

(Image credit: Mimecast)

Defence in depth: Closing the gaps in Microsoft 365 security

Exploring the security challenges facing organisations with a reliance on Microsoft 365

DOWNLOAD FOR FREE

One user suggested that the practice is a reason why they’re “moving away from MS cloud” and that it crosses “ethics boundaries”. 

“There is a bit of an ethics boundary being crossed here when they are starting to just break into files and archives under the guise of ‘security’ (which may just be used as a facade for them).”

In a reply on the Mastodon thread, Brandt noted that SharePoint uses a “word list” to check and potentially flag the content of files. 

Given the password was ‘infected’ - a common archive password used in the cyber security community - SharePoint appears to have flagged this particular file. 

“[SharePoint] says it uses a word list,” he said. “The password was ‘infected’ which is not in the least bit secure, but I hadn’t seen it poking around inside of passworded ZIPs before now, and was under the impression it wouldn’t do that.” 

Brandt added that while this practice is understandable from a generalist perspective, for malware analysts in particular it could prove inhibitive. 

“While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,” he said. 

“The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.”

File scanning practices

Although this has raised some concerns over the scanning of files, the practice is well-documented by Microsoft in an explainer for its built-in antivirus protection for SharePoint, OneDrive, and Microsoft Teams. 

“The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed,” the explainer reads. 

“All file types are not automatically scanned. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.” 

In a Twitter thread reacting to the news, Dr. Vesselin Vladimirov Bontchev (@‘VessOnSecurity’) said the practice isn’t quite as concerning as it seems. 

“Scanners have been doing this since the ‘90s,” he wrote. “I think McAfee’s scanner was the first to try the password ‘infected’ if it encountered an encrypted ZIP archive.”

Bontchev pointed out that the practice of ‘protecting’ a ZIP archive potentially containing malware has traditionally been a tactic to improve safety and prevent unknowing users from downloading malicious software. 

“The idea here is not secrecy. The idea is safety. These archives with malware are (or at least were) often sent by email from one researcher to another,” he explained. 

“It's easy to mistype someone's email address and we wanted to make sure that if some random person, other than the intended recipient, received the malware by mistake, they wouldn't infect themselves by accidentally running it.”

ITPro has approached Microsoft for comment on the matter. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.