Microsoft extends support for its Antimalware Scan Interface (AMSI) to Office 365 client applications, offering its customers protection against script-based threats at runtime.
AMSI has been around since since 2015, in Windows 10 Technical Preview. It allows applications and services to communicate with a security product on the system and request at runtime a scan of a memory buffer.
The interface is generic, so it works with any antimalware solution that implements it. Because it is available only for Windows 10, and antivirus makers have to cover multiple platoform, its adoption was slow initially, but at the moment support is available in all major antivirus products.
Integrating AMSI into Office 365 client applications aims to deliver protection against malicious macros in the final stage of the attack when the scripting engine runs the code in its plain, unobfuscated form.
Microsoft explains that with Office VBA, the AMSI integration functions in three steps: logging the macro behavior, requesting a scan from the antimalware solution, and stopping the malicious macro.
In a real-world scenario, when the victim enables macros and triggers the deobfuscation routine, the behavior monitoring component logs the resulting code and passes it to the antivirus.
Even if the entire operation happens in memory, as is the case with fileless malware, AMSI still delivers the behavior log to the antivirus product.
Scripting engines are not the only ones that can communicate through AMSI. Any other app can take advantage of it, as long as their developer wants their software to send scan requests to security solutions.
Windows Defender's cloud-based protection service uses AMSI to collect signals from devices executing documents with suspicious macro code and sends the verdict in real-time to other customers that run Microsoft's antivirus with the cloud protection feature turned on.
"This protection is also delivered to the rest of Microsoft 365 customers. Through the Microsoft Intelligent Security Graph, security signals are shared across components of Microsoft 365 threat protection," Microsoft details in a blog post.
Furthermore, Windows Defender shares its detections of documents with malicious macros with Office 365 ATP email security service, which prevents the files from reaching customers' inboxes.
AMSI is currently enabled by the default on the Monthly Channel for Office 365 client applications for Word, Excel, PowerPoint, Access, Visio, and Publisher.
Under this configuration, all macros are inspected at runtime via AMSI, with the following exceptions: