Security News > 2022 > March > Microsoft Defender tags Office updates as ransomware activity
Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.
Following the surge of reports, Microsoft confirmed the Office updates were mistakenly marked as ransomware activity due to false positives.
"Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of 'Ransomware behavior detected in the file system,' and the alerts were triggered on OfficeSvcMgr.exe," Microsoft said following users' reports.
After the cloud logic update rollout, the incorrect ransomware activity alerts will no longer be generated.
According to Microsoft, the issue "May have potentially affected" admins who attempted to view ransomware alerts in Microsoft Defender for Endpoint.
Since October 2020, admins have had to deal with other similar Defender for Endpoint issues, including one alerting of network devices infected with Cobalt Strike and another one marking Chrome updates as PHP backdoors.
News URL
Related news
- Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts (source)
- Microsoft Defender adds detection of unsecure Wi-Fi networks (source)
- Microsoft Office 2024 now available for Windows and macOS users (source)
- Microsoft says more ransomware stopped before reaching encryption (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (source)