Researchers and system administrators have noted multiple instances of false positives generated by legitimate Microsoft Office activity since updating Microsoft Defender for Endpoint to version 1.353.1874.0. Researchers have reported in some cases that simply opening Excel, or any Office app using MSIP.ExecutionHost.exe (AIP Sensitivity Client) and splwow64.exe, generates a Defender block which keeps the file from opening. An error is also generated that mentions suspicious activity linked to Win32/PowEmotet.SB or Win32/PowEmotet.SC. The changes are speculated to be related to an attempt to detect malicious behavior associated with the new Emotet malware campaign.
The issue is ongoing, but Microsoft issued a statement noting that “We are working to resolve an issue where some customers may have experienced a series of false-positive detections. This issue has been resolved for cloud-connected customers.”