Microsoft Defender drops "downpour" of false ransomware alerts on customers
System administrators made numerous reports of false-positive results being flagged for seemingly innocuous files and behaviours on Wednesday
Microsoft has confirmed that a code issue in Microsoft Defender for Endpoint has led to a wave of false-positive ransomware alerts for Microsoft customers.
Some system administrators reported issues on Wednesday afternoon involving numerous ransomware detections in their file systems.
Specifically, the erroneous alerts were titled ‘Ransomware behaviour detected in the file system’ and were triggered on ‘OfficeSvcMgr.exe.’, Microsoft said, with alerts occurring for around two hours between 14:39 - 16:50 (UTC).
It said a recent update that it deployed “within service components that detect ransomware alerts” introduced a code issue that led to false ransomware detections in the company’s security solution.
Microsoft has issued another code update that should correct the problem, according to Microsoft's Steve Sholz, principal technical specialist at Microsoft, updating customers via social media.
Sholz said Microsoft has updated its cloud logic to suppress the false-positive alerts and has re-processed a backlog of alerts to “completely remediate impact”. Affected customers should find the false-positives should clear from their portal without any intervention.
Microsoft is now investigating how the code error slipped through its testing and validation processes, with the hope that it will prevent similar issues from occurring again in the future.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Microsoft customers reported that the errors began appearing after they updated their security definitions, which led to a “downpour of ransomware alerts” for some.
Microsoft Office files were commonly being flagged as ransomware, according to some reports, while other behaviours like deleting shadow copies also triggered false-positive alerts for some.
Elsewhere, users on Windows 11 have reported numerous problems since installing the March security update, including slow program load times after booting, File Explorer lagging, and a malfunctioning Windows Terminal, among other issues.
RELATED RESOURCE
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
IT Pro has contacted Microsoft to understand if it’s aware of the issues and what is being done to address them, but it did not immediately reply at the time of publication.
A total of 92 security vulnerabilities were fixed as part of the most recent March update, including a Windows 11 issue that prevented some users from erasing all their files after a system reset.
Microsoft has also been criticised by system administrators this year for releasing ‘broken’ patches that have led numerous organisations to forgo important security fixes out of fear they may cause more disruption than they solve.
Windows Server administrators said January’s security fixes “made the problem worse”, including creating an issue where they were unable to see the Active Directory environment in Microsoft Exchange, for example.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Working with the enemy: Ransomware negotiator-turned cyber criminal jailed after working with hackers to extort clientsNews Angelo Martino was supposed to be negotiating on behalf of victims, but was secretly working for ransomware operators
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation

