Some Microsoft Office updates are being flagged as ransomware threats

News
By Sead Fadilpašić
last updated

False positive alerts in Defender caused by Microsoft Office updates

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Some recently-released Microsoft Office updates are causing the company's Defender for Endpoint platform to raise the alarm about cyberattacks, it has warned.

The security tool was found to be labelling the Office updates as potential ransomware behavior, and given how prevalent supply chain attacks are, it’s no wonder people took it seriously.

Microsoft was quick to react, confirming the warnings were in fact only a false positive alert, and quickly tweaked Defender for Endpoint to alleviate the issue.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

"Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system,” Microsoft said in its report. “Admins may have seen that the erroneous alerts had a title of 'Ransomware behavior detected in the file system,' and the alerts were triggered on OfficeSvcMgr.exe." 

Office updates

The company added that the issue concerned a problem with the code that was swiftly addressed.

"Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we've re-processed a backlog of alerts to completely remediate impact."

This is not the first time Defender for Endpoint has seen issues with false positives. In early December 2021, the antivirus program prevented users from opening some Office files and launching various applications, triggering false positives related to Emotet malware.

Back then, the program detected print jobs as Emotet malware, as well as any Office app using MSIP.ExecutionHost.exe and slpwow64.exe.

Read more

> Are your Microsoft Office files refusing to open? This could be why

> Turns out Microsoft Defender had a rather embarrassing security flaw of its own

> Microsoft Defender for Endpoint wants to help your employees use iOS devices

Following this, Microsoft reportedly tried to increase the sensitivity of its filters for detecting Emotet and similar activity, due to the malware’s recent resurgence.

Emotet, which is believed to have originated in Ukraine, was almost extinct at the start of last year, after law enforcement seized control of Emotet infrastructure and reportedly arrested individuals linked with the operation.

However, since mid-November 2021, new Emotet samples have started popping up once again. These are quite similar to the previous strain, but have a different encryption scheme, and are being delivered to machines infected by TrickBot.

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.