IT departments of the companies are pretty nervous nowadays since threat actors are successfully breaching big companies’ systems rapidly. Ransomware on the other way is a total nightmare for them; potentially causing massive damage to company systems or a beefy payment for the attackers for the sake of saving the files in the storage. Microsoft has accidentally triggered the nightmares of the IT employees by sending a false Microsoft Defender for Endpoint notification to its customers.
“Ransomware behavior detected”
The false alerts were titled “Ransomware behavior detected in the file system” and they were pointing at the OfficeSvcMgr.exe file; Microsoft’s own Office Serviceability Manager executable. The incident happened on the 17th of March, between 14:39 and 16:50 GMT.

After the incident happened, Microsoft has immediately announced that it was caused by the new updates for Microsoft Office components. Then, the company has tweaked the Defender for Endpoint to fix the issue. Steve Sholz, principal technical specialist at Microsoft said:
« Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we’ve re-processed a backlog of alerts to completely remediate the impact
This issue may have potentially affected any of your admins attempting to view ransomware alerts in Microsoft Defender for Endpoint »
Sholz has also stated that they are investigating how the code slipped out during the testing and validation periods to prevent future false alert incidents like this one.
Despite the immediate information and retweaks to fix the issue, we are pretty sure some of the IT employees had a small stroke with the ransomware notification by Microsoft Defender for Endpoint.