From 8dc77214a298b217fe586e61110d544bf092ef4e Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 16 Nov 2018 19:44:30 +0000 Subject: [PATCH] Clarified Office apps rule. --- .../attack-surface-reduction-exploit-guard.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index b14135494f..b09d4d8b79 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -71,6 +71,9 @@ This rule blocks the following file types from being run or launched from an ema Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +>[!NOTE] +>This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes). + This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. ### Rule: Block Office applications from creating executable content