Not quite sure. It all works for me. I can emulate your problem by simply loading one of the xlsx files into excel and then closing it without making any changes.
Sep 17 09:03:57 Server_A root: ransomware protection:Event on /mnt/user/Intimate/SquidBait-DO_NOT_DELETE.docx, but MD5 matches. Checking again in 1 second
Sep 17 09:03:58 Server_A root: ransomware protection:Event on /mnt/user/Intimate/SquidBait-DO_NOT_DELETE.docx, but MD5 matches. Remonitoring
Sep 17 09:03:58 Server_A root[21619]: Setting up watches.
Sep 17 09:03:58 Server_A root[21619]: Watches established.
Sep 17 09:04:08 Server_A root: ransomware protection:Event on /mnt/user/Intimate/SquidBanking-DO_NOT_DELETE.xlsx, but MD5 matches. Checking again in 1 second
Sep 17 09:04:09 Server_A root: ransomware protection:Event on /mnt/user/Intimate/SquidBanking-DO_NOT_DELETE.xlsx, but MD5 matches. Remonitoring
Sep 17 09:04:09 Server_A root[21740]: Setting up watches.
Sep 17 09:04:09 Server_A root[21740]: Watches established.
It saw that a CLOSE_REWRITE happened, the md5's matched, checked again it still matched, so ignored the event and started the monitoring back up again, then excel triggered it immediately again, and the same thing happened and then the file activity stayed stable, and the "attack" was ignored.