Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.
According to Windows system admins reports [1, 2, 3, 4], this started happening several hours ago and, in some cases, it led to a “downpour of ransomware alerts.”
Following the surge of reports, Microsoft confirmed the Office updates were mistakenly marked as ransomware activity due to false positives.
Redmond added that its engineers updated cloud logic to prevent future alerts from showing up and remove the previous false positives.
“Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of ‘Ransomware behavior detected in the file system,’ and the alerts were triggered on OfficeSvcMgr.exe,” Microsoft said following users’ reports.
“Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we’ve re-processed a backlog of alerts to completely remediate impact.”
After the cloud logic update rollout, the incorrect ransomware activity alerts will no longer be generated. All logged false positives should also automatically clear from the portal without requiring the admins’ intervention.
False positives triggered by a code change
According to Microsoft, the issue “may have potentially affected” admins who attempted to view ransomware alerts in Microsoft Defender for Endpoint.
The root cause of the false positives was a recently deployed update within service components for detecting ransomware alerts.
This introduced a code issue that incorrectly caused the alerts to be triggered without ransomware activity being present on the system.
In November, Defender for Endpoint also blocked Office documents from opening and some Office executables from launching due to another false positive tagging the files Emotet malware payloads.
One month later, it also mistakenly showed “sensor tampering” alerts linked to the company’s newly deployed Microsoft 365 Defender scanner for Log4j processes.
Since October 2020, admins have had to deal with other similar Defender for Endpoint issues, including one alerting of network devices infected with Cobalt Strike and another one marking Chrome updates as PHP backdoors.
A Microsoft spokesperson was not available for comment when contacted by BleepingComputer earlier today.