Microsoft Defender for Endpoint tags Office updates as ransomware activity


Level 66
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.

According to Windows system admins reports [1, 2, 3, 4], this started happening several hours ago and, in some cases, it led to a "downpour of ransomware alerts."

Following the surge of reports, Microsoft confirmed the Office updates were mistakenly marked as ransomware activity due to false positives.

Redmond added that its engineers updated cloud logic to prevent future alerts from showing up and remove the previous false positives.

"Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of 'Ransomware behavior detected in the file system,' and the alerts were triggered on OfficeSvcMgr.exe," Microsoft said following users' reports.

"Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we've re-processed a backlog of alerts to completely remediate impact."

After the cloud logic update rollout, the incorrect ransomware activity alerts will no longer be generated. All logged false positives should also automatically clear from the portal without requiring the admins' intervention.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.