SecureMint

Outlook Blocked Your Encrypted ZIP — Here's the Fix

Microsoft 365 Defender treats password-protected archives as a malware-delivery vector because its engine cannot scan inside them. If your encrypted ZIP attachment bounces back with a policy rejection, the correct fix is not to weaken security — it's to switch to link-based sharing. A SecureMint link contains the decryption key in the URL fragment, so Defender sees only a plain URL and lets it through.

Switch to Link Sharing
SecureMint uses zero-knowledge design. The server cannot read your data.
securemint.app/d/abc123#secret-key

Steps

1

Understand why Outlook blocked it

Check the NDR (Non-Delivery Report). Typical error: 'Message contains an encrypted attachment that cannot be scanned'. Defender policy 'Block encrypted attachments' is on by default for many tenants.

2

Upload the original file to SecureMint /send

Send the unzipped original — SecureMint handles encryption. AES-256-GCM in the browser before upload, key derivation via PBKDF2-SHA256.

3

Copy the share link

You get a URL with the decryption key in the fragment (#). Defender cannot execute or scan what's in the fragment — it's a plain URL to Defender's eyes.

4

Paste the link into Outlook and send

Put the link in the email body. Share the password via a separate channel (phone, Teams DM, Signal). The email now passes Defender cleanly.

Why It's Secure

  • Microsoft's own guidance recommends link-based sharing over encrypted attachments for exactly this reason.
  • SecureMint's AES-256-GCM is stronger than legacy ZIP encryption (ZipCrypto) and even modern AES-ZIP.
  • Separating the file (via link) and the password (via phone/Teams) gives you real two-channel delivery, solving the core PPAP flaw.
  • Optional download-count limit and expiry reduce risk if the link is forwarded.

FAQ

My recipient's company blocks external links too. Now what?
Use SecureMint's self-decrypt HTML mode. It's a single HTML file that the recipient can open offline — some gateways allow HTML while rejecting archives. Alternatively, share via an approved cloud storage and include the SecureMint link there.
Can I just disable the Defender policy for my account?
Only a tenant admin can change the policy, and they usually won't — for good reason. Link-based sharing is the correct long-term answer.
Does the recipient need an Outlook plugin?
No. Any browser opens the SecureMint link. Zero plugins, zero installs, zero accounts.

Related Tools

Send FilesSelf-Decrypt HTMLEncrypted ZIP Blocked Guide

Related Articles

Encrypted ZIP Blocked by Email? Do This Instead

Gmail, Outlook, and Microsoft 365 increasingly block password-protected ZIPs as malware. Learn why, and how to send encrypted files via SecureMint links instead — without getting bounced.

Gmail 25 MB Limit Workaround That Isn't Google Drive

Hitting Gmail's 25 MB attachment ceiling? The default fix is Google Drive — but it exposes your file to Google's scanning. Here's the zero-knowledge alternative.

PPAP Alternative: Secure File Sharing with SecureMint

Replace insecure PPAP (password-protected ZIP via email) with E2E encrypted file sharing. No more sending passwords in separate emails.