Defender for Cloud - "Communication with possible phishing domain" alert false positives

Hadi D 5 Reputation points

Hello everyone,

I am receiving false positive alerts "Communication with possible phishing domain" on Defender for Cloud.

the Domain Name isn't malicious, i understand that i can create a suppression rule but is there another way for me to get Azure to actually rectify this incorrect info ?

example: is appearing in this alert for the Domain Name, but it belongs to and nothing about it is malicious.

Thank you,


Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
973 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 19,621 Reputation points Microsoft Employee

    @Hadi D Thank you for reaching out to us, As I understand your concern is related to false alert reported by defender for cloud for "Communication with possible phishing domain" example:

    Similar issue has been reported by one of the customers via support ticket last week, below are the findings and recommendations about this alert.

    alertDisplayName: Communication with possible phishing domain  

    If there are no security events or DNS events on the resource reporting this alert, indicates DNS resolutions for

    User's image


    On further investigating on this issue (by our internal team) - Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service. False positive alerts are expected from security tools from time to time.

    There is not much we can do to suppress/ignore these alerts at the broader level, would recommend to triage these alerts and proceed with IR.

    However I will share your feedback with my team if there is something we can do about this alert.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments