Application Guard for Office and Safe Documents will make phishing attacks harder and the Office experience better for users, starting with Office 365 Pro Plus and E5 licences.
So far, Microsoft’s Windows Defender Application Guard technology (first introduced in the RS3 release of Windows 10) has really protected only one application: the original and (more recently) the new Chrome-based Edge browsers — the WDAG extensions for Chrome and Firefox let you open sites you don’t trust in Edge instead.
But the same technology will soon run Word, Excel and PowerPoint in a hardware-virtualised sandbox when you open documents from the internet, letting you copy, print, edit and save documents without having to click out of Protected View and reopen the document (which is both annoying and an opportunity to get infected with malware).
Application Guard for Office delivers “container-based WDAG support for key Office applications,” Dave Weston, director of OS security at Microsoft told TechRepublic. It’s a big step forward because Office macros, embedded scripts, active content like OLE and COM controls, and documents with obfuscated links to malware remain a major source of attacks — and Protected View leaves a key security decision up to users who may be ill-equipped to decide which documents are safe.
“Office is the most productive application out there. What people love about it is the extensibility; we love the fact that you can probably build an entire oil or energy platform on top of Office with macros, with a few Excel files. But that also obviously gives attackers the opportunity to confuse users into opening documents with macro-based attacks or other [malicious] content,” Weston said.
Image: Microsoft
Active content isn’t the only threat, said Weston. Although it’s rare, some attackers have used zero-day exploits to attack enterprises through Office documents. “In recent years we’ve seen zero-day exploits that get code execution initially into protected mode and then combine that with some sort of a kernel or other vulnerability to ‘escape’ the sandbox.”
Application Guard addresses both styles of attack, Weston said. “There is no access in the container to things like credentials transparently, so you can’t just do NTLM attacks. And of course, active content is kept within the container and only promoted once it gets past a deeper analysis. The fact that Application Guard can allow you to contain any threat from the internet in essentially a shrunk-down version of the Azure hypervisor is incredibly valuable.”
Protected View is safe but annoying, because you can’t sort an Excel spreadsheet or print a PowerPoint without turning it off and waiting for the document to reopen. Application Guard is seamless, as the document opens in the container straight away. Attackers would also try to trick users into turning it off.
“Attackers would put things in their documents like ‘this image is blurry but if you click the bar to turn off Protected View, that will give you a nice clear image’ so it becomes part of their lure,” Weston pointed out. “All of that is gone. You can edit the document, you can save and persist it and reopen it in the container; you essentially have a separate virtually secured and segmented workspace and you can edit, print and do all the basic functions, without having to ‘escape’ the container.”
Running in a container doesn’t make opening documents slower, Weston stressed. “We’ve made numerous performance improvements — things like GPU access, better network management, all sorts of tweaks — and there are lots of under-the-hood performance optimizations.” Rather than loading the Office application from scratch, Application Guard loads a virtual machine with the application already running. “When you start up Office with an untrusted document, we resume that VM, and rehydrate that process so it effectively feels instantaneous.”
“If you compare the time it takes for a user to go through and click all the buttons required to edit or print a document to the few seconds that are required to spin up a container, in some cases it can actually be faster to use than the traditional software-based Protected View sandbox.”
There is still a way to take documents out of the Application Guard sandbox, using the Safe Documents feature that’s already in Office Insider public preview (although it’s off by default because currently all files are sent to the US region for scanning). This checks the documents to see if they’re safe to open.
“If you’ve got a vital business document that you want to promote into the enterprise space, you can release it from the container, but it first needs to go through deep analysis through our Defender ATP engine, where we run things like our AMSI interface to understand that it’s secure.” Administrators also get the option to decide whether users can mark documents as safe by having them scanned this way.
Application Guard requires Windows 10 for the hardware-based virtualisation that powers the containers; Safe Documents doesn’t. On other systems, users will be able to have a document checked by Defender ATP before it leaves Protected View.
“You’re going to be accessing your mail on other systems like Macs or Android devices, or maybe older versions of Windows that wouldn’t have containers available,” Weston pointed out. Having both will still give you more comprehensive protection. “Detection is incredibly valuable, we do a great job with it, but it’s not perfect so having a container as a backstop is an excellent way to cover all your bases.”
E5 for integration
Application Guard for Office 365 ProPlus will be available “very soon” Weston said: it’s been in private preview and has already been announced as a Windows 10 2004 feature.
It will work automatically for Outlook attachments, documents downloaded from any domain that’s not your intranet or a trusted site, and files in untrusted folders like the Temporary Internet folder, as long as Application Guard is enabled as a Windows 10 feature (which can be done by policy or the user), the documents are opened in Office 365 ProPlus and you have either a Microsoft 365 E5 or Microsoft 365 Security E5 license.
Safe Documents also needs an E5 licence and Office 365 ProPlus. The E5 requirement isn’t about making this a premium feature: it’s because you need an E5 licence for Windows Defender Advanced Threat Protection, and the integration with that makes Application Guard far more useful to enterprises, by giving defenders visibility into attacks and helping to protect them on more than just Windows 10 devices.
“These things work together hand-in-hand because if you’ve prevented an attack, you almost always want to investigate that,” Weston pointed out. “You want to understand where it came from, so that you ensure that that attack hasn’t pivoted to somewhere else in your enterprise that might not have hardcore prevention. What we see as magical is the experience where we can prevent basically anything under the sun, including kernel exploits, where you fully prevented this attack but you have all the options for detecting and responding to it; and we can only provide that experience if it’s built into the suite.
“Having worked security incidents for so many years, the fact that I could go from a detonation on the client to investigating mailboxes across an enterprise is incredible progress. That’s the type of thing you used to have to do in Excel or spending hours writing Python scripts and mining logs, and now that happens in seconds.”
Because Safe Documents and Application Guard feed information about dangerous documents back into the Microsoft Security Graph, they indirectly protect users who don’t have Office 365 ProPlus or an E5 licence.
“If someone gets a document from any location, whether that’s OneDrive, Dropbox or Gmail, and they open it and we determine it’s a threat in the container, based on Defender ATP analysis, we can then take that information up into the security graph, put it into the SecOps ATP portal and immediately pivot into other mailboxes that haven’t even read the threat yet and eradicate it there,” Weston explained.
Details like the X-Mail header and the file hash will be used to automatically build machine-learning models to detect the same attack on other devices. “The rest of the security graph will be protected instantaneously, because that’s immediately going to be consumed into our models and turned into protection without humans doing anything,” said Weston.
And in time Application Guard and Safe Documents may be available beyond Office ProPlus and E5 tenants. “We’re starting with enterprise because that’s where the demand is and we want to mature the technology. But ultimately we want to protect users, so we will continue to look for opportunities to trickle down that technology.”
Weston also predicts that Application Guard will likely protect more than just Word, Excel and PowerPoint in the future. “We’re going to look hard at Outlook and some of the other parts of the Office suite, and determine if there’s enough customer demand and we have the right experience for those types of apps. You could even go as far as Teams.”
None of those applications are on the roadmap yet, and it depends on what applications are targeted by attackers, Weston said. “As we can mature the technology and deliver a good experience, we would look at any place that attackers are moving to, to give this type of security
