Overview
Microsoft cloud services (which includes OneDrive, Sharepoint, and others) are opening and looking into the contents of password-protected Zip files stored on their servers. This obviously poses a privacy concern to anyone using their systems.
It has been known for a while that Microsoft has opened compressed Zip files to check for malware and viruses, etc., but if you wanted to keep a service provider from seeing the contents of a file, you would encrypt it.
How do we know that Microsoft is scanning the contents of Zip files? Security expert Andrew Brandt, the principal security researcher at Sophos, shared his findings in a post on Mastodon.
Well, apparently #microsoft #Sharepoint now has the ability to scan inside password-protected zip archives.
How do I know? Because I have a lot of Zips (encrypted with a password) that contain malware and my typical method of sharing those is to upload those passworded Zips into a Sharepoint directory.
This morning, I discovered that a couple of password-protected Zips are flagged as “Malware detected” which limits what I can do with those files – they are basically dead space now.
In an article in Ars Technica, Kevin Beaumont, a fellow researcher, confirmed that Microsoft not only scans password-protected Zip files in Sharepoint but in all of its 365 cloud services.
Of course, Microsoft has not issued a notice or explanation of why it is scanning password-protected Zip files but we can assume it is to find infected content. But who knows – they could be scanning for a whole lot more!
Microsoft customers use encrypted files to store private information or to safely exchange information over the internet. Microsoft scanning and exploring these files is concerning. Furthermore, Microsoft may be required to share this information with government agencies. This is an obvious privacy concern for customers paying Microsoft for their service!
What Else Is Microsoft Scanning?
The only reason we know Microsoft is unencrypting password-protected Zip files is that they are removing infected content with their malware detectors. But, what else is Microsoft scanning? Are they scanning password-protected Word documents? Password-protected Excel files and other Office documents? Other password-protected archive programs like 7-Zip and RAR? If so, what are they doing with this information?
How Is Microsoft Decrypting Zip Files?
Since Microsoft has not issued any notice of what, how, or why they are scanning password-encrypted files, we do not know exactly. But we can make some assumptions:
- First, Microsoft may be brute force decrypting encrypted files. Zip files have two encryption methods: AES encryption and Standard Zip 2.0 / ZipCrypto encryption. Zip 2.0 / ZipCripto encryption is not very strong (even WinZip states that it is weak) and Microsoft may be opening all of these as well as weak passworded AES files. Brandt mentioned that his passwords were not very strong
- Second, Microsoft may be reading emails or looking at “clues” the file owner may have given themselves in the archive file. Beaumont wrote: “If you mail yourself something and type something like ‘ZIP password is Soph0s’, ZIP up EICAR and ZIP password it with Soph0s, it’ll find (the) password, extract and find (and feed MS detection)”
- Third, Microsoft may be applying a list of common passwords to the password-encrypted files to see if they will open. Brandt noted that some, but not all, of his files were flagged as “Malware detected”
How To Protect Your Privacy On Microsoft’s Online Services
If you choose to store password-encrypted files, whether they are Zip files, Office documents, or other types of files, on Microsoft servers, you will want to take some precautions.
- First, when given a choice of encryption methods, always choose the strongest method
- Second, use a strong password
- Third, do not store password clues in file names or archive names
- Fourth, never send the password in an email with the encrypted file. If possible, use a separate method to send the password than sending the file. Even better would be to use some kind of secure messaging service (Signal, WhatsApp, etc.) or a secure sending service (Bitwarden Send, for example) to send the password (or even the password-encrypted file)
Bottom Line
Even though Microsoft probably feels justified in opening and scanning password-encrypted files for viruses and malware, Microsoft’s scanning of password-encrypted files is simply wrong and is a major privacy concern. Microsoft’s paying customers deserve better than this. If you are a Microsoft cloud service customer, let me know in the comments how you feel about Microsoft scanning your encrypted files.
—
Simple, use RAR or 7-Zip archives instead
Hi Chris,
What if MS is scanning RAR or 7-Zip files too?
This sounds silly, but why store your files on servers in the first place? Having them on flash drives, several copies of them in different locations for safety, on encrypted drives, makes sense to me, Mindblower!
Hi Mindblower,
Storage on local drives of some kind is more convenient in most cases. However, there are legitimate and useful reasons for storing files in the cloud, too. However, if you password protect and encrypt them, the firm you are paying money to for storing these files should not be decrypting and looking in them.
I went all out and use Cryptomator to store sensitive files in a vault on OneDrive. It’s free and is open source. Can be set to unlock and mount the vault as a virtual drive upon startup. All files in the vault are encrypted.
Word of caution: Be prepared for all kinds of ransomware warnings from OneDrive and Windows Security when setting up the vault.
I use OneDrive as part of my backup plan to backup pictures and documents for off-site storage. Cryptomator protects them in the event my account got compromised. Probably not useful for file sharing, but it does keep snoopers out.
Hi Mark H.,
Taking security and privacy precautions, whatever they are, is a wise move when storing data in the cloud in case there is a data breach However, I believe that you should not need to take these measures against the firm you are paying to store your data. The snooper should not be your data storage provider — especially when you password protect and encrypt the data!