Microsoft Defender for Endpoint is currently blocking the opening of Office documents and the launch of some executable files due to false positive labeling of the files as a potential Emotet malware payload cluster.
Windows system admins report that this is after updating the definitions of Microsoft's enterprise endpoint security platform (formerly known as Microsoft Defender ATP) to version 1.353.1874.0.
When enabled, Defender for Endpoint will block the file from opening and will display a suspicious activity-related error associated with Win32 / PowEmotet.SB or Win32 / PowEmotet.SC.
"We see issues with the 1.353.1874.0 definition update that detects printing as Win32 / PowEmotet.SB," said one admin.
"We see this detected for Excel, any Office application that uses MSIP.ExecutionHost.exe (AIP Sensitivity Client) and splwow64.exe," added another.
A third party confirmed the problems with today's definition updates: “We see the same behavior especially with version 1.353.1874.0 of definitions, which was released today and included a definition for Behavior: Win32 / PowEmotet.SB & Behavior: Win32 / PowEmotet.SC . ”
BleepingComputer was able to enable false positive on a Windows 10 virtual machine with the latest Microsoft Defender signatures, as shown below.
Although Microsoft has not yet released information on what causes this, the most likely reason is that the company has increased its sensitivity to detect Emotet-like behavior in the updates released today, which makes the general engine Defender behavior detection very sensitive to false positives.
The change was most likely caused by the recent revival of the Emotet botnet, as research teams Cryptolaemus, GData and Advanced Intel began to see TrickBot dumping Emotet loaders on infected devices.
Microsoft told BleepingComputer that it has fixed the problem for cloud-connected users who are working on a patch that will be released to everyone else.
"We are working to resolve an issue where some customers may have encountered a number of false positives. The issue has been resolved for cloud-connected clients, "said a Microsoft spokesman.
Update 30/11/21: Microsoft statement added.