Incorp tech review.

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -19,9 +19,9 @@ ms.author: v-anbic
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-Attack surface reduction rules help prevent malware from using actions and apps to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. 
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019. 
 
-To use attack surface reduction rules, you Windows 10 Enterprise E3 license or higher. An E5 license allows you to take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) and the real-time views and configuration of the M365 dashboard. These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to view attack surface reduction rule events in Event Viewer.
+To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. An E5 license lets you take advantage of the advanced monitoring and reporting capabilities available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) and the real-time views and configuration of the M365 dashboard. These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to view attack surface reduction rule events in Event Viewer.
 
 Attack surface reduction rules target specific behaviors that malware and malicious apps typically use to infect computers, including:
 
@@ -73,11 +73,10 @@ Except where specified, attack surface reduction rules don't apply to any other
 
 ### Block executable content from email client and webmail
 
-This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com:
+This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
 
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-- Script archive files
 
 Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
 
@@ -113,9 +112,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
 
 ### Block Office applications from injecting code into other processes
 
-A macro can allocate memory inside a suspended process and inject code into it, converting the benign process into a malicious one. Code injection doesn't have any known use for legitimate business purposes. This rule detects DLL and EXE injection, as well as process hollowing and thread hijacking.
+Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
-
-This rule helps prevent attacks where malware runs malicious code in an attempt to hide the activity from antivirus scanning engines.
 
 This rule applies to Word, Excel, and PowerPoint. 
 
@@ -144,7 +141,7 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D
 
 Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
 
-This rule prevents obfuscated scripts with suspicious behaviors from running. You can exclude scripts so they're allowed to run.
+This rule blocks scripts from running downloaded content, preventing malicious use of the scripts to spread malware and infect computers. You can exclude scripts so they're allowed to run.
 
 Intune name: Obfuscated js/vbs/ps/macro code
 
@@ -152,11 +149,9 @@ SCCM name: Block execution of potentially obfuscated scripts.
 
 GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 
-### Block Win32 API calls from Office macro
+### Block Win32 API calls from Office macros
 
-Malware can use macro code in Office files to import and load Win32 DLLs, which the malware then uses to make API calls to allow further infection throughout the system.
+Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
-
-This rule blocks Office files containing macro code from importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
 
 Intune name: Win32 imports from Office macro code
 
@@ -166,7 +161,7 @@ GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
 
 ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  
-This rule blocks the following file types from launching unless they either meet prevalence or age criteria set by admins, or they're in a trusted list or exclusion list:
+This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
  
 - Executable files (such as .exe, .dll, or .scr) 
 
@@ -207,8 +202,6 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 
 ### Block process creations originating from PSExec and WMI commands
 
-This rule blocks process creations that are invoked externally by PSExec or WMI. You can legitimately use PSExec or WMI for computer management. Because the invoking process is external to the system, this rule can't determine which application invoked the process creation. Exclusions don't apply to this rule, so don't enable this rule if you're using a PSExec-based program or a WMI-based program like SCCM.
- 
 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
 
 >[!IMPORTANT]
@@ -238,9 +231,7 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 
 ### Block Office communication application from creating child processes
 
-This rule prevents Outlook from creating child processes, including launching an app when a user double-clicks an attachment. 
+This rule prevents Outlook from creating child processes. It prevents apps from launching when a user double-clicks an attachment or clicks a link embedded in an email. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
-
-This is a typical malware behavior, especially for macro-based attacks that attempt to use Outlook to launch or download malicious executables. There are legitimate uses of this behavior, such as emails that contain a hyperlink that starts a browser session. Some common usages, like starting a browser session within an email, already have global exclusions.
 
 >[!NOTE]
 >This rule applies to Outlook and Outlook.com only.
@@ -253,9 +244,7 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 ### Block Adobe Reader from creating child processes
 
-This rule blocks Adobe Reader from creating child processes.
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. 
-
-This helps protect against heap-based buffer overflow vulnerabilities in PDF files, which attackers could use to launch malicious code. It also mitigates against potential JavaScript and Adobe Flash engine vulnerabilities that could allow attackers to insert and execute malicious code in PDF documents.
 
 Intune name: Not applicable