Defender for Cloud - "Communication with possible phishing domain" alert false positives

Hadi D 10 Reputation points
2023-08-29T22:19:05.4933333+00:00

Hello everyone,

I am receiving false positive alerts "Communication with possible phishing domain" on Defender for Cloud.

the Domain Name isn't malicious, i understand that i can create a suppression rule but is there another way for me to get Azure to actually rectify this incorrect info ?

example: bstatic.com is appearing in this alert for the Domain Name, but it belongs to Booking.com and nothing about it is malicious.

Thank you,

H

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,518 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 35,591 Reputation points Microsoft Employee
    2023-08-31T09:52:23.4+00:00

    @Hadi D Thank you for reaching out to us, As I understand your concern is related to false alert reported by defender for cloud for "Communication with possible phishing domain" example: bstatic.com

    Similar issue has been reported by one of the customers via support ticket last week, below are the findings and recommendations about this alert.

    alertDisplayName: Communication with possible phishing domain  
    domainName: bstatic.com, 

    If there are no security events or DNS events on the resource reporting this alert, indicates DNS resolutions for bstatic.com

    User's image

    Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference

    On further investigating on this issue (by our internal team) - Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service. False positive alerts are expected from security tools from time to time.

    There is not much we can do to suppress/ignore these alerts at the broader level, would recommend to triage these alerts and proceed with IR.

    However I will share your feedback with my team if there is something we can do about this alert.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.