Office 365 to Prevent Malicious Docs From Infecting Windows

Microsoft Office 365 ProPlus is getting a new feature called Application Guard that will allow users to open attachments in a virtualized container to protect Windows from malicious macros and exploits.

Microsoft Edge for Windows 10 includes a feature called Windows Defender Application Guard that allows you to launch a browser tab into a special sandboxed environment.  As this browsing environment is sandboxed, any malicious sites that attempt to exploit vulnerabilities, download malicious software, or exhibit malicious behavior will be blocked from affecting the normal machine.

This same virtualized sandbox is now coming to Microsoft Office in order to protect users from malicious attachments that are commonly used to install malware.

Microsoft Office Application Guard

Microsoft Office 365 ProPlus users are now getting a similar feature called Microsoft Office Application Guard. In order to use this feature, users will need to be running Windows 10 with the Application Guard feature installed.

David Weston, Microsoft Partner Director of OS Security, told BleepingComputer that an untrusted Office document such as a Word document or Excel spreadsheet with macros will automatically be opened in a virtualized container that is protected with hardware level security and restricted from accessing the normal Windows operating environment.

"We’re extending the same Application Guard protections from Edge to Office using a micro-container virtual machine that takes advantage of hardware-rooted trust. The user won’t need to click on a separate button to open a document inside the Application Guard container. All untrusted documents which used to open in Office protected view will now open inside the Application Guard container."

When a document is opened in Application Guard, Microsoft Office will display an indicator as shown in the image below.

While users will be able to print, edit, and save changes, this sandboxed environment will prevent malicious macros from installing malware, exploiting vulnerabilities, or executing PowerShell or JavaScript commands that can affect your normal Windows environment.

If a user decides to "trust" a document, before being allowed to use the document, it will be scanned first using the Microsoft Defender Advanced Threat Protection threat cloud for extra protection.

As spam emails containing malicious Word and Excel documents are one of the most common vectors for installing malware such as ransomware, data-stealing and keylogging Trojans, RATs, and malware downloaders, this protection is a very useful feature for any user.

This feature is currently in limited preview and will become generally available in the summer of 2020.

Update 11/5/19: Updated to include further information and and an image from Microsoft.