There’s one tactic that cyber defenders easily let slip through the cracks: the password-protected archive. A ZIP file encrypted “just in case”…. and suddenly, your scanners and gateways go blind. It’s a clever exploitation of trust: end users expect a password prompt, not a hidden payload.
How file encryption becomes an exploit
Attackers weaponize file encryption – which seemingly is there for privacy reasons. When a threat protection solution like a malware scanner encounters an encrypted attachment, it often defers inspection, tagging it as “unscannable” and forwarding it without deeper analysis. Meanwhile, the attacker conveniently shares the password in the message body or an accompanying chat, ensuring only a human user can unpack it. By the time the malicious payload emerges, it’s already doing damage.
No sophisticated zero-day exploit is needed when a basic ZIP file can evade detection simply because security tools aren’t configured to look that deep.
Last-line defenses are limited against encrypted threats
Relying solely on endpoint protection is a high-stakes gamble. Consider password-protected archives containing decompression bombs: a small encrypted file that expands into terabytes of junk, overwhelming sandbox environments and crashing AV engines.
Even if the sandbox survives, analysis is delayed as it desperately unpacks nested layers. And all the while, an end user eager to collaborate may decrypt and execute the payload before any alarm rings.
Defensive tools like antivirus with sandboxing and EDR are crucial, but they operate under the assumption that they can see what they’re scanning. Encryption breaks that assumption.
Shifting control upstream
What if we simply treated encrypted archives as policy violations? By enforcing controls at entry points like Salesforce, organizations can neutralize threats before they ever reach downstream tools or employees. With straightforward attachment policies you could quarantine or block any file flagged as encrypted. No password, no pass.
Salesforce native solution in WithSecure Cloud Protection for Salesforce
Security and Salesforce teams have a built‑in shield against encrypted archive threats. WithSecure™ Cloud Protection for Salesforce automatically detects and blocks password-protected archives on upload and download. Here’s how it works:
- File Protection: password-protected archives are identified in real time as they transit Salesforce.
- Automatic removal: based on feature settings, any detected archive is removed and replaced with a placeholder text file, ensuring no hidden payload reaches users.
- Visibility and alerts: every blocked archive generates alerts and events, giving investigating security teams immediate insight into attempted threats.
- Comprehensive format coverage: supports all popular archive formats (ZIP, RAR, 7z, ISO).
A hands‑off approach like this lets you enforce policy without complex custom triggers or workflows, while providing clear visibility and audit trails for compliance.

Prevention is the best policy
Password-protected archives grant attackers a head start. By moving our defenses upstream and treating encrypted archives as policy considerations, we cut off threats at the source. The mindset against threats like these needs to be: security begins at the gate, not at the endpoint.