Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.
According to Windows system admins reports [
1,
2,
3,
4], this started happening several hours ago and, in some cases, it led to a "downpour of ransomware alerts."
Following the surge of reports, Microsoft confirmed the Office updates were mistakenly marked as ransomware activity due to false positives.
Redmond added that its engineers updated cloud logic to prevent future alerts from showing up and remove the previous false positives.
"Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of 'Ransomware behavior detected in the file system,' and the alerts were triggered on OfficeSvcMgr.exe," Microsoft said following users' reports.
"Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we've re-processed a backlog of alerts to completely remediate impact."
After the cloud logic update rollout, the incorrect ransomware activity alerts will no longer be generated. All logged false positives should also automatically clear from the portal without requiring the admins' intervention.
