Security News > 2022 > March > Microsoft Defender tags Office updates as ransomware activity
Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.
Following the surge of reports, Microsoft confirmed the Office updates were mistakenly marked as ransomware activity due to false positives.
"Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of 'Ransomware behavior detected in the file system,' and the alerts were triggered on OfficeSvcMgr.exe," Microsoft said following users' reports.
After the cloud logic update rollout, the incorrect ransomware activity alerts will no longer be generated.
According to Microsoft, the issue "May have potentially affected" admins who attempted to view ransomware alerts in Microsoft Defender for Endpoint.
Since October 2020, admins have had to deal with other similar Defender for Endpoint issues, including one alerting of network devices infected with Cobalt Strike and another one marking Chrome updates as PHP backdoors.
News URL
Related news
- Microsoft 365 outage takes down Office web apps, admin center (source)
- Microsoft fixes bug behind random Office 365 deactivation errors (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft ends support for Office apps on Windows 10 in October (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Ransomware attackers are “vishing” organizations via Microsoft Teams (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)