email marked as phising due to Microsoft Defender URL.

Question

email is marked as high phish and moving to quarantine. We are attaching one file from share point in a email and addition url "ur01.safelinks.protection.outlook.com/ap/x-59584e83" is adding on that file and marking email as phishing.

Answer 1

Hi @Microsoft Q & A ,

Does this issue only affect this particular email or it affects all mails containing URLs rewritten by safelinks?
Just wondering how you found out that the email was quarantined because of the "Microsoft Defender URL"? Because as far as I know, the Safe Links feature is intended to protect an organization from malicious links and normally this will not lead a message to be sent to quarantine.

Given this, I'd recommend go the Quarantine in the Microsoft 365 Defender portal, select the email in question to open up the details flyout, take a note of the relative information such as Quarantine reason, Policy type and Policy name. This might help investigate further on why this mail got quarantined.

If it only occurs to this particular email and there's nothing special in the policy involved, it's likely to be a false positive and it's recommended to select "Submit the message to Microsoft to improve detection" when releasing this mail. This will report the erroneously quarantined message to Microsoft as a false positive. And depending on the results of the analysis, the service-wide spam filter rules might be adjusted to allow the message through. See Manage quarantined messages and files as an admin.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.