Skip to content

Beware, Microsoft is looking in password locked ZIP files

Microsoft is now looking at the contents of password protected ZIP files stored on OneDrive, Sharepoint and other cloud services. Maybe with honorable intentions but there are serious privacy concerns that haven’t been acknowledged.

For a long time, Microsoft’s antivirus and safety systems have opened up compressed ZIP files to check the contents for nasty files (bad macros, infected documents etc.).  Hackers responded by making password protected ZIP files to carry their unwanted payload.

These malicious password protected ZIP files are either opened by code which includes the password or the password is included in the email, trying to trick the receiver into opening it e.g. “Attached is your increased salary offer, open with the password ‘MoreMoney”.

Now Microsoft is looking inside the password locked ZIP files, presumably checking for infected files but perhaps a lot more too?

As reported by Dan Goodin on Ars Technica and Andrew Brandt, this started without notice or explanation from Microsoft.

Microsoft hasn’t explained what they are doing, ignoring requests for even a comment.  A typical “Don’t even ask, we know best” attitude from Redmond.

There are too many questions about this change. It’s possibly done with the best of intentions but opens up a lot of issues about customer privacy and how they are unlocking the password protection.

How is Microsoft breaking password ZIP files?

There are various types of encryption possible in ZIP files, some easy to break.

Standard ZIP encryption is, by modern standards, easy to bypass.  Even the makers of ZIP say that this method should not be used “to provide strong security for your data.”  For those files, Microsoft might just be opening them without bothering to get the password. 

Modern ZIP’s use the AES standard which Microsoft uses themselves. To open these files, the password is necessary.

Perhaps Microsoft is getting the ZIP password using clues in the email or even ZIP file name.  Malicious emails have to include the password somewhere for example “Urgent, staff layoff list attached, use password ‘FoolMeOnce’ to open”.

Likely there’s also a list of common passwords (like ‘password’ and ‘12345’) that are tried. Mr Brandt used ‘infected’ on all his ZIP file samples.

What about Office documents with password protection?

Has or will Microsoft extend this to opening password protected Office documents? 

From a security POV, that makes sense since infected Office docs can be hidden from scanning with encryption. The email can include the password “Money from a Nigerian Prince is in the attached document, open with the password ‘Sucker’ ”.

But it’s a huge issue for the many people or organizations that keep their secrets in password locked documents.

It’s just for virus checks — or is it?

For the moment, the concern is for security experts who need to keep copies of malicious code but the intrusion on previously secure storage goes way beyond that niche issue.

People use encrypted ZIP files for all sorts of, previously, secure storage in cloud services or sending data via email.

Now Microsoft is potentially exploring the contents and can be required by law to hand the unlocked documents and data over to government agencies.

While Redmond’s intentions might be good, Microsoft appears to have ignored the privacy expectation of their paying customers.

Protect your encrypted ZIP files and Office documents

The main protection is the long-standing trick of never including the password with the email that contains the encrypted file.

Sending encrypted ZIP with the password in the same email leaves the contents open for anyone who can access the message.  It’s like writing a letter in code, then putting the code key on the back of the envelope.

Always send the unlocking password in a separate message or better, by a totally different method.  If the encrypted file is intercepted, it’s useless without the password.

That’s what we recommend in Beating Bots, Spies and Cockups, our guide to securely sending data over the Internet.

For example, send the encrypted files via email but the password by secure messaging (Signal or WhatsApp).

That will keep the encrypted file locked up and away from Microsoft’s prying eyes.

Alternatively, send the encrypted file by another method.  WhatsApp and Signal both accept encrypted file transfers in larger sizes than most emails.

If you must save a password locked ZIP or Office document in the cloud, make sure the password is complex (i.e. not a common password) and not revealed in any associated file or file name.

The Real Solution

The full and proper solution is for Microsoft to be more open about what they are doing.  Explaining which password locked files are being opened and how will reassure customers.

Giving a broad explanation won’t help hackers since they’ll already know what’s going on. 

The only people kept in the dark are the ones who deserve to know, Microsoft’s paying customers.

Email a file to OneDrive, DropBox or other cloud storage will be using up your OneDrive quota
Beware a Microsoft Office 365 – OneDrive outage, what you must to do protect yourself
How a new Word feature is really Microsoft’s insult to customers who won’t move to OneDrive

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.