06-03-2025 05:35 AM
For the last few days I've had random machines (some with fresh Windows installs) triggering Cortex alerts when logging into OneDrive.
The alert is Behavioral threat detected (rule: parent_process_spoofing) and the path is the legitimate OneDrive executable at C:\Program Files\Microsoft OneDrive\25.085.0504.0002\OneDriveLauncher.exe.
Has anyone else been seeing this?
06-03-2025 10:11 AM
Hi,
Thanks for reaching out LC.
This false positive has already been noticed and is planned to be fixed on next content releases.
Please test out after next release and if issue still persists open a support ticket to get further analysis on your issue.
If you feel this answered your question please mark as solution.
Regards,
06-03-2025 07:54 AM
I have also been seeing this, exact same path and version of OneDrive.
06-03-2025 10:11 AM
Hi,
Thanks for reaching out LC.
This false positive has already been noticed and is planned to be fixed on next content releases.
Please test out after next release and if issue still persists open a support ticket to get further analysis on your issue.
If you feel this answered your question please mark as solution.
Regards,
06-03-2025 12:38 PM
I've seen process spoofing incidents on FileCoAuth.exe, OneDriveLauncher.exe, and OneDrive.exe.
06-03-2025 12:39 PM
Hello,
We are also receiving the same alert, but it's from a different file path. Can you please confirm that this is a false positive? I would like to know why Cortex XDR is blocking it, as it is a legitimate file:
C:\Users\xxx\AppData\Local\Microsoft\OneDrive\25.085.0504.0002\OneDriveLauncher.exe
C:\Users\xxx\AppData\Local\Microsoft\OneDrive\25.085.0504.0002\FileCoAuth.exe
06-04-2025 01:41 AM
We've been seeing the same for the last couple of weeks. Either associated directly with OneDrive or occasionally with Word and an ai.exe process (assuming co-pilot here). Good to know we're not alone and that it will be fixed in the next content pack. Any ideas on dates for that please?
06-10-2025 01:04 AM
Hello,
Thanks for the clarification. Just to confirm, after which content release should we expect this problem is fixed? We're still receiving this alert, and I need to compare the client content version with the fixed one.
Br,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
