Microsoft extends support for its Antimalware Scan Interface (AMSI) to Office 365 client applications, offering its customers protection against script-based threats at runtime.

AMSI has been around since since 2015, in Windows 10 Technical Preview. It allows applications and services to communicate with a security product on the system and request at runtime a scan of a memory buffer.

The interface is generic, so it works with any antimalware solution that implements it. Because it is available only for Windows 10, and antivirus makers have to cover multiple platoform,  its adoption was slow initially, but at the moment support is available in all major antivirus products.

AMSI integrates with scripting engines, too

Integrating AMSI into Office 365 client applications aims to deliver protection against malicious macros in the final stage of the attack when the scripting engine runs the code in its plain, unobfuscated form.

To cover a wide attack surface, AMSI integrates with VBScript, JavaScript, and PowerShell engines. These are typical choices for running code that downloads or leads to downloading malware embedded in Office documents macros.

Microsoft explains that with Office VBA, the AMSI integration functions in three steps: logging the macro behavior, requesting a scan from the antimalware solution, and stopping the malicious macro.

In a real-world scenario, when the victim enables macros and triggers the deobfuscation routine, the behavior monitoring component logs the resulting code and passes it to the antivirus.

Even if the entire operation happens in memory, as is the case with…