Microsoft Defender flags Office update as ransomware

Enterprise IT admins should be disturbed by a flurry of false positives starting last night: Microsoft Defender for Endpoint incorrectly flagged Microsoft Office updates as malicious, saying a potential ransomware behavior was detected on systems.

Windows Defender

Since almost all office computers in the enterprise are installed with Office software, therefore, when deploying the update, the Microsoft endpoint protection software directly alerts, constantly popping up the security threats encountered by each device. A large number of IT administrators had to temporarily stop all operations and report back to Microsoft, and then Microsoft confirmed the above situation.

Microsoft issued a response saying that starting on the morning of March 16, customers may have experienced a series of false-positive detections attributed to ransomware behavior monitoring of the file system. Microsoft said:
Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of ‘Ransomware behavior detected in the file system,’ and the alerts were triggered on OfficeSvcMgr.exe

Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we’ve re-processed a backlog of alerts to completely remediate impact.

Cloud code updates and policy updates have been deployed for a few hours now, IT admins in some regions may take longer to receive updates, so don’t panic if you encounter a large number of alerts, just suspend all operations and wait for Microsoft Defender for Endpoint to automatically process them.

Via: bleepingcomputer