Office 365 now opens attachments in a sandbox to prevent infections

Microsoft today announced the launch of Application Guard for Office in public preview to protect enterprise users from threats using malicious attachments as an attack vector.

Application Guard for Office (also known as Microsoft Defender Application Guard for Office) is designed to help prevent block files downloaded from untrusted sources from gaining access trusted resources by opening them within an isolated sandbox.

This sandbox will automatically block maliciously crafted files from exploiting vulnerabilities, downloading other malicious tools, or manifesting any malicious behavior from impacting the users’ device and data.

Application Guard for Office was initially launched in limited preview last year, in November 2019.

Off by default in supported environments

Malicious Office documents are among the most common vectors exploited by threat actors to deploy malware such as ransomwareRATsdata-stealing trojans, and malware downloaders.

“To help protect your users, Office opens files from potentially unsafe locations in Application Guard, a secure container that is isolated from the device through hardware-based virtualization,” Microsoft Sr. Office Deployment Engineer Eric Wayne said.

“When Office opens files in Application Guard, users can securely read, edit, print, and save those files without having to re-open files outside the container.”

Application Guard for Office
Alert shown when opening untrusted files in Office (Microsoft)

The Application Guard for Office feature works with Word, Excel, and PowerPoint for Microsoft 365 and it will be off by default for customers with Microsoft 365 E5 or Microsoft 365 E5 Security enterprise plans that can deploy it in their environments.

For admins to be able to toggle it on, endpoints are required to run Windows 10 Enterprise edition, version 2004 (20H1), with the KB4566782 cumulative update and the Application Guard for Office Feature enablement package installed.

Microsoft Defender ATP integration

“Application Guard for Office is a restricted mode that isolates untrusted documents from accessing trusted corporate resources, intranet, the user’s identity, and arbitrary files present on the computer,” Microsoft explains.

“As a result, if a user tries to access a feature that has a dependency on such access, for example, inserting a picture from a local file on disk, it will fail and produce a prompt like the one below.

“To enable an untrusted document to access trusted resources, users must remove Application Guard protection from the document.”

Application Guard for Office limitations
Prompt shown when trying to access trusted resources (Microsoft)

Application Guard for Office is integrated with the Microsoft Defender Advanced Threat Protection enterprise endpoint security platform, providing malicious activity monitoring and alerting within the isolated environment.

Microsoft provides detailed instructions on how to deploy and configure Application Guard for Office, as well as licensing and minimum hardware/software requirements.