.NET WinForms App misidentified as Trojan AgentTesla

Question

I am struggling with the Windows Defender. Since a few weeks a ClassLibrary.dll from our company gets flagged as the trojan "Trojan:MSIL/AgentTesla.CED!MTB" by the Windows Defender. Of course our customers are loudly complaining.

My first step was to research this malware. It's from 2014 but still very active and still being widely in circulation. Written on the .NET framework it steals information from the victims machine. A few interesting articles told me it often camouflages itself by hiding the actually malicious code via Steganography in images or embedded in other text files which it then extracts and executes when already on the victims machine.

Now I had a closer look on our ClassLibrary.dll. There were many pieces of code which I thought might trigger a anti virus program looking for this malware. Code for assembly side loading, Office Interop stuff and whatnot. But when I started to remove file after file and line of code after line of code I was really surprised. The Windows Defender detection did not go away! I am now left with four cs files and a resx file which all do not do much.

At that point I thought it might be the Windows Defender just caching the file name. But I made a new .NET WinForms project with the four files and the few lines of code and still got the same Windows Defender detection. The result is reproduceable on all of my colleagues machines I tried.

Since now I had a very small test project I uploaded the dll to VirusTotal. Out of 70 virus scanners only the Windows Defender flagged it as the malware. One hint it gave me is that in one file the method "Convert.FromBase64String()" is used. But that is surely used in a lot of projects which are not malware. Here is the result: https://www.virustotal.com/gui/file/5987e3957cb53b5d91c59c77dec82eb8f08945ee6b80b9fadfb4af41be996710/detection

After that I uploaded the dll to Microsoft (https://www.microsoft.com/en-us/wdsi/filesubmission). But they don't want to help and insist it's nothing and I should just update my signatures. Not sure how that is supposed to help when it is the same result on multiple machines and also on VirusTotal.

Has anyone of you any idea why such a simple sample gets flagged as malware? Is it really possible that the Windows Defender jumps on such a few trigger words?

If you like to try for yourselves: It's a .NET Framework 4.8 ClassLibrary with the following files. Thats really all. Compile it. Scan it. I get the Agent Tesla trojan every time.

a.cs

using System.Threading;

namespace ClassLibrary.Controller
{
    public class a
    {
        private void A()
        {
            ThreadPool.QueueUserWorkItem(null, null);
        }
    }
}

b.cs

using System.Threading;

namespace ClassLibrary
{
    public class b
    {
        private void B()
        {
            var t = new Thread(() => { })
            {
                Name = "ClassLibrary.Data"
            };
        }
    }
}

d.cs

using System;

namespace ClassLibrary
{
    public class d
    {
        private void D()
        {
            Convert.FromBase64String(string.Empty);
        }
    }
}

DataTableConverter.cs

using System.Reflection;

namespace ClassLibrary
{
    public class DataTableConverter
    {
        private Assembly AssemblyResolver()
        {
            return null;
        }
    }
}

And a MultiLangRes.resx File with one entry: Name: TextReplace, Value: a