When filling out a SharePoint webform, you are able to attach a malicious file, and then redownload it, before the form is submitted to SharePoint.

Protection for SharePoint Servers can only scan files which are uploaded to the SharePoint server. In case of attachment, the file is only available at the client side before form submission, and not submitted or uploaded to the server. Per the design of SharePoint, SPSS can’t access that file for scanning.

Downloading the file in the same session is not considered a vulnerability, as it is able to be downloaded only at the client side that it was uploaded from.

This attached file will not be uploaded to the SharePoint server even after form submission, if it is an infected file.