Another is by testing the file to see if it’s protected with one of the passwords contained in a list. One way is to extract any possible passwords from the bodies of an email or the name of the file itself. “The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.”įellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. "While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,” Brandt wrote. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password “infected.” The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. While analysis of password-protected files in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday.Ĭompressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads.
0 Comments
Leave a Reply. |