Ransomware is extremely dangerous to your data. Hackers often use malicious Microsoft Office documents as a means to infect end users with ransomware. Microsoft has announced Application Guard for Office to help isolate ransomware using a containerized environment. Let's see how.

Hackers can use many attack vectors to infect your system with ransomware. They can use Office files to run malicious code on your system to install malware such as ransomware. Since most end users are accustomed to working with Office documents on a daily basis, they can easily see such documents as typical, harmless documents. However, this may not be the case.

Microsoft is continuing to do a lot of great work in the security space as it relates to Office specifically. One recent announcement from Microsoft regarding Office security enhancements is Application Guard for Office. What is Application Guard for Office and how does it increase the security of working with Office documents? Read on.

Application Guard for Office overview

Businesses constantly struggle with the happy medium between security and productivity. Often security goes by the wayside in an effort to keep employees productive. End users often face the decision of whether or not to "trust" a particular Office document when they choose to open it or not. Ultimately, you do not want your end users having the final say in this decision-making process, as they often make the wrong decision.

Application Guard is the isolation technology that ships with Windows 10. It uses virtualization technology with Hyper-V to isolate untrusted content. It does this by provisioning its own micro-virtual machine (VM) as a sandbox environment. It generally isolates containerized or virtualized environments from the host operating system via the hypervisor layer running between them.

Microsoft has been doing a considerable amount of work to extend the features and protection of Application Guard to other important areas. They are extending the whole ecosystem of Application Guard technology to include not just the containerization of various operating system processes but also applications like Microsoft Edge, which Microsoft has recently enhanced with Application Guard.

At Ignite 2019, Microsoft announced that they'll extend Application Guard technology to Office 365 ProPlus to create an isolated, protected environment for your Office files. This will take the protection and isolation of Application Guard directly to one of the most dangerous attack vectors facing end users: their Office documents.

Adding Application Guard to Microsoft Office will allow end users to stay productive in an isolated environment, get the job done, and remain secure. Additionally, it uses the same technologies that Microsoft uses to isolate its server workloads in Azure.

Application Guard for Office is the extension of Application Guard in the context of Microsoft Office. It is essentially an evolution of the current "Protected View" in Microsoft Office. This views files downloaded from the internet or attachments from personal email boxes as untrusted; Application Guard for Office isolates these files.

Your end user "trust" decisions about Office documents will no longer have to be detrimental to overall security because the Application Guard mechanism will open the file inside the isolated containerized environment regardless.

Even if users decide to trust documents, they will be unable to use the documents until Microsoft Defender Threat Protection threat cloud scans them for extra protection.

How Application Guard for Office works

Each time an end user logs in, Application Guard creates a new container as an isolation environment. Microsoft demonstrated how the protected environment looks to an end user. Surprisingly, all actions of the containerized environment will be transparent to the end users. They don't even realize what is happening in the background.

Architecture of Application Guard for Office (image courtesy of Microsoft)

Architecture of Application Guard for Office (image courtesy of Microsoft)

In the demonstration, an end user opens an Office document infected with ransomware. The document opens and the ransomware runs. However, it does not affect any of the end user's files. The ransomware opens in the containerized environment without any access to or knowledge of the real user environment outside.

In the screenshot below, the ransomware has executed, but notice the files on the desktop are still healthy and remain unencrypted even though the ransomware assumes it has encrypted all available files.

Ransomware running inside the Application Guard for Office container

Ransomware running inside the Application Guard for Office container

The end user may be unaware of the activities unfolding with the ransomware in the protected environment. Yet due to the deep integration with Microsoft Defender Advanced Threat Protection (ATP), IT administrators will have complete visibility. This includes alerts, logs, confirmation of the attack being contained within the Application Guard containerized environment, and threat correlation to any other similar threats happening across the organization.

The screenshot below shows alerts fired off to IT administrators regarding the Application Guard isolation and the detection of suspicious activity inside the Microsoft Word environment.

Microsoft Defender Security Center alerts

Microsoft Defender Security Center alerts

Concluding thoughts and impressions

Hackers continue to use the tried and true ways of infecting end users, such as via internet browsing, email, and Office documents. The new Application Guard for Office solution builds upon the Application Guard technology Microsoft continues to use across various applications and use cases. Microsoft added it to Edge recently, and now with Office 365 using Application Guard, it is evident Microsoft intends on continuing to extend its scope.

Using a containerized barrier is an effective way of isolating malicious code when it runs. With the isolated, containerized environment, malicious code such as ransomware is unaware of your real files that exist outside the isolated environment. This means that even if the code executes, your business-critical files are safe and unaffected by any malicious processes.

Subscribe to 4sysops newsletter!

Application Guard for Office appears to be a useful evolution of this hypervisor-assisted technology that allows isolating malicious processes so your business-critical files are unaffected. While it is available currently in preview, Microsoft has announced that it should be available to everyone by the summer of 2020.

1 Comment
  1. Avatar
    Travis 3 years ago

    This post is so great , thanks to the author for wrote the details.

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account