Application Guard to block malicious attachments in Office 365
Microsoft is bringing the Application Guard security container to Office 365 ProPlus this year, which could limit the threat of malicious Office documents for subscribers.
At its 2019 Ignite conference, Microsoft touted the security benefits of bringing Application Guard containers to Office 365, but experts noted the limitations of those benefits.
Application Guard is a Windows Defender feature that was first introduced to Internet Explorer and Microsoft Edge in 2016 and allowed browser tabs to be opened in a Hyper-V container. Those same protections are now available for Office 365 in a limited preview, with a wider release planned for Office 365 ProPlus subscribers at some point in 2020.
Office 365 ProPlus is the enterprise tier of the app suite for organizations with more than 300 users.
With Application Guard, potentially malicious Office documents will be opened in a virtualized container where any threats will be -- theoretically -- unable to affect the rest of the system. And, even if the user opts to trust the file, it will be checked against Microsoft Defender Advanced Threat Protection.
"You will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. View, print, edit, and save changes to untrusted Office documents -- all while benefiting from that same hardware-level security [brought to the browser]," Rob Lefferts, corporate vice president for Microsoft Security, wrote in a blog post. "If the untrusted file is malicious, the attack is contained and the host machine untouched. A new container is created every time you log in, providing a clean start as well as peace of mind."
David Weston, partner director of OS security at Microsoft, confirmed this meant Application Guard would be a single container for all potentially malicious files and a new container would be created with each Windows login.
Salah Nassar, vice president of marketing at CipherCloud, said Application Guard should "ultimately reduce threats" in Office 365, but noted that it is limited right now.
"The problem Application Guard solves is malware within the Microsoft applications and does not extend to other non-Office 365 files," Nassar told SearchSecurity. "For organizations that are solely looking to protect Microsoft Office 365 applications and no other popular business applications such as Salesforce, G Suite, Workday or private apps running on IaaS, Office 365 ProPlus may be a viable solution as a standalone security measure, albeit an expensive solution."
Gerrit Lansing, field CTO with Stealthbits Technologies, said Application Guard for Office 365 "is a positive step forward for the security of the business user."
Gerrit LansingField CTO, Stealthbits Technologies
"Isolating and disposing of the compute resources that interact with untrusted information contributes substantively to blocking many of today's common attack vectors," Lansing told SearchSecurity. "It's important to note, however, that we should not forget the security failures -- in user awareness and education, edge malware and phishing detection and blocking, and more -- that have occurred by the time a user opens a malicious untrusted document. These features serve as an important safeguard, but too often become a crutch to avoid addressing the human challenge."
Weston added that while Application Guard will be limited to Office 365 ProPlus subscribers, Microsoft has plans for the future.
"We challenged ourselves to bring the security of Azure virtualization technology to PCs, which required us to work through a series of integrations to create a seamless Office user experience while maintaining security and performance," Weston told SearchSecurity. "Application Guard for Office represents new innovations that brings together the best of Office, Windows and Microsoft Threat Protection. App Guard for Office is currently in limited preview. We plan to extend similar protections as we get more customer input and feedback."