Oops! Microsoft Defender Freaks Sys Admins Out By Flagging Office Update As Ransomware

office surface
System administrators were in for a surprise when Windows Defender flagged a recent Microsoft Office Update as malware. That was, fortunately, a false positive, but when you manage hundreds or thousands of endpoints and they all start getting flagged, you might as well give a sysadmin a heart attack.

On March 16th, an update to many versions of Microsoft Office was rolled out. That update was flagged as malware by Windows Defender. If you were an individual user you likely didn't see this, however, if you are a system administrator who uses Windows Defender to scan your endpoints, you potentially got numerous false-positive flags.
defender interface
According to Reddit user u/vertisnow when running a command for Defender to test against the Microsoft Office Serviceability Manager, a false-positive was triggered. That particular utility is the tool that confirms access to things like a Microsoft 365 license, thus making it so that people within organizations can use the appropriately licensed version of the software. As such, deleting it would be bad, even if it does get flagged as malware. Most reports seem to indicate the issue affected cloud-related organizations, such as those deployed using Microsoft 365. That's no small number of users, though. According to a 2019 report there are more than 200 million active Microsoft 365 users.

There is a fairly entertaining root cause to this issue. The cause happened to be an update to the service components for the Microsoft Office Serviceability Manager tool. The tool itself was updated to better detect ransomware attacks, but the code used was flawed and triggered alerts even if malware was not detected.
scaled office apps
Luckily Microsoft was able to react quickly and its engineers were able to roll out a patch to the cloud logic allowing that version of Defender to ignore those false positives. No action is needed on the part of system administrators, other than probably telling them to dismiss their existing false positives. Microsoft did say that those should clear out automatically post-update, though.