Today many organizations got faced with the issue that they have lost all access to their Microsoft apps, such as outlook/excel/word from their Windows machines. This is a bug caused by the latest signature updates from Microsoft (It comes with defender version 1.381.2140) and will impact machines that have ASR (Attack Surface Reduction Rules) that are configured to block “Block Win32 API calls from Office macro” 

Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware – Microsoft Security Intelligence

You can also see that status from Microsoft here, and that they are reverting the rule change.

Microsoft 365 Status on Twitter: “We’re investigating an issue where users are unable to access application shortcuts on the Start menu and Taskbar in Windows. For more details and updates, please follow the SI MO497128 in your admin center.” / Twitter

However, in the meantime, the fix is to configure the ASR rules in Audit Mode as seen in the screenshot here to audit mode instead of block. 

Image

When Microsoft uploads a new signature file, then this will no longer be needed, and you can set it back to Block mode…

The other issue is that the rule also deletes the Office desktop shortcuts, to fix this you can use the Office 365 quick repair. 

  1. On the Windows Start screen, type Control Panel.
  2. Click or tap Control Panel.
  3. Under Programs, click or tap Uninstall a program.
  4. Click or tap Microsoft 365, and then click or tap Change.
  5. Click or tap QuickRepair, and then click or tap Repair.

Skjermbilde 2023-01-13 142559

Now since this is also deleting other shortcuts as well, I’ve made a kusto script to find the affected lnk files (Works if you have Microsoft Defender for Endpoint)

let deviceevent = 
DeviceEvents | where ActionType == "AsrOfficeMacroWin32ApiCallsBlocked" and Timestamp >= datetime("2023-01-13 00:00:00Z") | order by Timestamp
| where FileName contains ".lnk"
| summarize count() by FileName, DeviceName;
DeviceInfo
| project LoggedOnUsers, DeviceName
| extend users = parse_json(LoggedOnUsers) 
| mv-expand users
| extend loggedusers = users.UserName
| project DeviceName, loggedusers
| lookup kind = leftouter deviceevent on DeviceName

azuread/kqldetectasrblock at main · msandbu/azuread (github.com)


0 Comments

Leave a Reply

Your email address will not be published.