Microsoft Defender tags Office updates as ransomware activity

Microsoft Defender for Endpoint

Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.

According to Windows system admins reports [1234], this started happening several hours ago and, in some cases, it led to a “downpour of ransomware alerts.”

Following the surge of reports, Microsoft confirmed the Office updates were mistakenly marked as ransomware activity due to false positives.

Redmond added that its engineers updated cloud logic to prevent future alerts from showing up and remove the previous false positives.

“Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of ‘Ransomware behavior detected in the file system,’ and the alerts were triggered on OfficeSvcMgr.exe,” Microsoft said following users’ reports.

“Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we’ve re-processed a backlog of alerts to completely remediate impact.”

After the cloud logic update rollout, the incorrect ransomware activity alerts will no longer be generated. All logged false positives should also automatically clear from the portal without requiring the admins’ intervention.

False positives triggered by a code change

According to Microsoft, the issue “may have potentially affected” admins who attempted to view ransomware alerts in Microsoft Defender for Endpoint.

The root cause of the false positives was a recently deployed update within service components for detecting ransomware alerts.

This introduced a code issue that incorrectly caused the alerts to be triggered without ransomware activity being present on the system.

In November, Defender for Endpoint also blocked Office documents from opening and some Office executables from launching due to another false positive tagging the files Emotet malware payloads.

One month later, it also mistakenly showed “sensor tampering” alerts linked to the company’s newly deployed Microsoft 365 Defender scanner for Log4j processes.

Since October 2020, admins have had to deal with other similar Defender for Endpoint issues, including one alerting of network devices infected with Cobalt Strike and another one marking Chrome updates as PHP backdoors.

A Microsoft spokesperson was not available for comment when contacted by BleepingComputer earlier today.

Next Post

Secure Software Summit: Applying Chaos Engineering to Software Security

Sat Mar 19 , 2022
Today’s software systems are, essentially, controlled chaos—and lightly controlled chaos, at that. This makes it exceptionally challenging to model the behavior of those systems. Our systems are quickly becoming larger and larger, with more and more moving parts. It is not uncommon for enterprises to have over 1,000 microservices and […]