Forum Discussion

THARAKA's avatar
THARAKA
Copper Contributor
Sep 04, 2025

Crowdstrike EDR repeatedly flags m365copilot_autostarter.exe

We are seeing recurring CrowdStrike informational alerts for m365copilot_autostarter.exe, located under the WindowsApps directory for Microsoft OfficeHub (versions 19.2509.32081.0 and 19.2508.51171.0).
The alerts are flagged as “meeting the machine learning-based on-sensor AV protection’s lowest-confidence threshold for malicious files”.
Two hashes are repeatedly seen across different customer environments:
- 2ee039508706a40e1ca608d2da670d8f8b4b3605343ae4601e7f2407db6a35e (timestamp: Sept 2, 2025)
- ade2675e1247ffd1cbe4e408716a559fb502aeca26985a53d35755d1c13827f3 (timestamp: Aug 21, 2025)

Both files appear clean in reputation checks, but they are unsigned and have no vendor information, which is raising questions in security tooling.
Since these alerts are consistently triggered across Windows 10 and 11 endpoints in multiple environments, we are trying to confirm:
- Is this a legitimate, recently introduced OfficeHub / Copilot component?
- Why is it unsigned compared to other OfficeHub binaries?

Any clarification from Microsoft would be appreciated.

microsoft 365 copilot

1 Reply

Sort By
  • Jovansavage's avatar
    Jovansavage
    Copper Contributor
    Sep 08, 2025

    Hello,

    Here's what I would recommend.

    This looks like a legitimate Microsoft 365 Copilot / OfficeHub component that’s triggering low-confidence, ML-based informational alerts in CrowdStrike because the autostarter binary is not presenting a normal Authenticode signature.

    - Coordinate with CrowdStrike: submit the sample (or CrowdStrike can pull it) so Falcon analysts can mark it as a false positive or tune models. Request a detection rule update so the informational alerts stop reoccurring in customers where the file is verified clean.  
    - Prefer publisher/package exceptions in your EDR policy rather than hash exceptions. Hashes will change with updates; publisher/package exceptions survive updates better (but only do this after vendor confirmation).  
    - Monitor for changes: if Microsoft pushes updated OfficeHub/Copilot releases, track new hashes and repeat verification. Consider automating hash collection from your fleet and a change-detection alert for unknown publisher/signature changes.

    Jovan.

Resources