Protect accounting firms from spreading malware via uploaded tax documents

Microsoft recently highlighted a scheme to infect tax accounting firm with malware. The criminal intent is that once the tax accountant has been infected that it will not only provide access to a treasure trove of information to be potentially used for identity theft on their clients but that they may also have access to business customers data too which the criminals may be able to leverage.

Fortunately, Defender protects against this when configured correctly. In addition to the Defender for Endpoint sensor installation, Attack Surface Reduction rules and certain anti-virus configurations should also be deployed.

Attack Surface Reduction Rules

Add these two rules:

  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Block JavaScript or VBScript from launching downloaded executable content

Open the Endpoint Manager admin console from, then navigate to Endpoint security, Attack Surface Reduction rules.

Review your rules and make sure that the two above are included and set to Block.

Configure Defender Anti-Virus

Add these two configurations:

  • Enable Microsoft Defender Antivirus scanning of downloaded files and attachments
  • Enable cloud-delivered protection

Open the Endpoint Manager admin console from, then navigate to Endpoint security, Antivirus.

Create or review your anti-virus policy. Set the items above in the Defender configuration section as shown below.

If you like this content please join our Endpoint Manager, Lighthouse & Defender group.

If you’d like to read more about configuring Intune endpoint manager, you can find more blog posts here.

All we do is support IT professionals. Microsoft 365 technical assistance, Super Secret News, Security community, MSP Legislation community, EndPoint, Defender and Lighthouse community, Peer groups, Kits, papers, Business consulting and more.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.