Microsoft Defender flags Office update as ransomware
Enterprise IT admins should be disturbed by a flurry of false positives starting last night: Microsoft Defender for Endpoint incorrectly flagged Microsoft Office updates as malicious, saying a potential ransomware behavior was detected on systems.
Since almost all office computers in the enterprise are installed with Office software, therefore, when deploying the update, the Microsoft endpoint protection software directly alerts, constantly popping up the security threats encountered by each device. A large number of IT administrators had to temporarily stop all operations and report back to Microsoft, and then Microsoft confirmed the above situation.
Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of ‘Ransomware behavior detected in the file system,’ and the alerts were triggered on OfficeSvcMgr.exe
Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we’ve re-processed a backlog of alerts to completely remediate impact.
Cloud code updates and policy updates have been deployed for a few hours now, IT admins in some regions may take longer to receive updates, so don’t panic if you encounter a large number of alerts, just suspend all operations and wait for Microsoft Defender for Endpoint to automatically process them.