Microsoft SharePoint does not breach user passwords
In a recent discovery, Microsoft SharePoint's handling of password-protected ZIP archives has come under scrutiny, as these files appear to be effectively invisible to its scanning and labeling processes. This revelation, made by principal security researcher Andrew Brandt at Sophos, could potentially pose a security risk that needs to be addressed by both malware researchers and security teams.
SharePoint, Microsoft's cloud-based collaboration and document management service, employs heuristics to determine which files to scan. When a file containing a virus is identified, it is flagged, preventing users from interacting with it. However, it has been found that SharePoint does not natively scan the contents of password-protected ZIP archives, due to the scanner's inability to access the encrypted contents without the password.
This limitation means that malicious payloads hidden inside password-protected ZIP files may evade SharePoint’s detection and security policies, creating a blind spot in malware detection. When investigating suspicious or compromised SharePoint environments, researchers may need to manually retrieve and decrypt password-protected ZIP files to examine their contents fully.
Moreover, SharePoint’s search and labeling capabilities do not index files inside compressed archives, including ZIP files, further complicating the identification of sensitive or malicious content within password-protected archives.
While advanced antivirus or malware scanning APIs offer real-time and deep scanning capabilities, including scanning attachments upon upload, SharePoint’s native scanner or Microsoft Purview Information Protection scanner does not explicitly support automatic scanning inside password-protected archives.
The idea behind this practice is not secrecy, but safety. Password-protected ZIP archives, often sent by email among researchers, can contain malware. By scanning these archives, Microsoft aims to prevent accidental infections due to mistyping someone's email address.
However, this practice has sparked concerns over security and privacy, as it seems Microsoft is actively scanning password-protected files. Some users have even suggested moving away from Microsoft cloud services due to ethics concerns.
This discovery harks back to the '90s, when scanners started attempting to crack passwords on encrypted ZIP archives, with McAfee's scanner being the first to try the password 'infected' if it encountered an encrypted ZIP archive.
In summary, Microsoft SharePoint’s handling of password-protected ZIP archives results in these files being effectively invisible to its scanning and labeling processes, posing a potential security risk that malware researchers and security teams must address through additional tooling or manual inspection.
Cybersecurity teams may need to implement additional measures to secure SharePoint environments, as password-protected ZIP files might evade Microsoft's native scanner, potentially harboring malicious payloads. In the data-and-cloud-computing realm, this illustrates the importance of technology that can fully examine encrypted data within password-protected archives to mitigate cybersecurity risks.
