Researchers and system administrators have noted multiple instances of false positives generated by legitimate Microsoft Office activity since updating Microsoft Defender for Endpoint to version 1.353.1874.0. Researchers have reported in some cases that simply opening Excel, or any Office app using MSIP.ExecutionHost.exe (AIP Sensitivity Client) and splwow64.exe, generates a Defender block which keeps the file from opening. An error is also generated that mentions suspicious activity linked to Win32/PowEmotet.SB or Win32/PowEmotet.SC. The changes are speculated to be related to an attempt to detect malicious behavior associated with the new Emotet malware campaign.
The issue is ongoing, but Microsoft issued a statement noting that “We are working to resolve an issue where some customers may have experienced a series of false-positive detections. This issue has been resolved for cloud-connected customers.”
Depending on an organization’s risk management framework and overall security strategy, it may be advisable to pause Windows update through group policy until the issue is resolved to avoid blocking Microsoft Office applications. For organizations that have already updated, individual users who require applications that are being blocked can utilize the cloud version of the application or roll back the change on individual machines. Software updates on enterprise level infrastructure requires the central coordination and management of all updates as well as thorough testing before deployment into production.