Microsoft even scans inside password-protected zip files, Ars Technica reports. In its own cloud environment, Microsoft can detect malware within compressed files.

It’s a well-known tactic of cybercriminals: packaging malware inside a zip file to avoid detection. Password protection on a compressed file stops many security services, but not Microsoft’s.


While many users will welcome additional malware protection, Microsoft’s scanning tactics may be a stumbling block for researchers. For example, malware researcher Andrew Brandt states that SharePoint that he can do less with his zip files recognized by Microsoft as malware. The reason: the password used was “infected.”

Brandt comes up with another example where Microsoft OneDrive recognized a large number of files as malware and deleted them from his local storage, which OneDrive used as a backup.

The containment of a malware researcher is a fairly niche use case for such cloud environments. Many other cloud services are not known to be able to bypass passwords in this way for malware detection. However, zip-file passwords are easy to crack anyway.

What about privacy?

Apart from the purposes of security research teams, handling privacy is not a strong point of Big Tech. Companies like Meta, Google and Microsoft often need a few twists around the ears to adhere to privacy principles, as WhatsApp recently showed. In this case, the issue is a bit trickier, since Microsoft is not necessarily interested in what a person or organization is hiding behind a password. After all, it serves to protect its own cloud environment from rogue software and it is highly unlikely that a real person at Microsoft will see the potentially sensitive data in a zip file.

In short, in this case, the benefit of the doubt is to be given to Microsoft. First of all, anyone who does not want to share data with this tech giant to secure the cloud environment should not use its online services.

Also read: Why Microsoft keeps pushing the limit by forcing its software on you