Some Microsoft Office updates are being flagged as ransomware threats

False positive alerts in Defender caused by Microsoft Office updates

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Some recently-releasedMicrosoft Officeupdates are causing the company’s Defender for Endpoint platform to raise the alarm about cyberattacks, it has warned.

The security tool was found to be labelling the Office updates as potentialransomwarebehavior, and given how prevalent supply chain attacks are, it’s no wonder people took it seriously.

Microsoftwas quick to react, confirming the warnings were in fact only a false positive alert, and quickly tweaked Defender for Endpoint to alleviate the issue.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

“Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system,” Microsoft said in its report. “Admins may have seen that the erroneous alerts had a title of ‘Ransomware behavior detected in the file system,’ and the alerts were triggered on OfficeSvcMgr.exe.”

Office updates

The company added that the issue concerned a problem with the code that was swiftly addressed.

“Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we’ve re-processed a backlog of alerts to completely remediate impact.”

This is not the first time Defender for Endpoint has seen issues with false positives. In early December 2021, theantivirusprogram prevented users from opening some Office files and launching various applications, triggering false positives related to Emotet malware.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Back then, the program detected print jobs as Emotetmalware, as well as any Office app using MSIP.ExecutionHost.exe and slpwow64.exe.

Are your Microsoft Office files refusing to open? This could be why>Turns out Microsoft Defender had a rather embarrassing security flaw of its own>Microsoft Defender for Endpoint wants to help your employees use iOS devices

Following this, Microsoft reportedly tried to increase the sensitivity of its filters for detecting Emotet and similar activity, due to the malware’s recent resurgence.

Emotet, which is believed to have originated in Ukraine, was almost extinct at the start of last year, after law enforcement seized control of Emotet infrastructure and reportedly arrested individuals linked with the operation.

However, since mid-November 2021, new Emotet samples have started popping up once again. These are quite similar to the previous strain, but have a different encryption scheme, and are being delivered to machines infected by TrickBot.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well