This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 3%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHD%3C/text%3E%3C/svg%3E)
Hello everyone,
I am receiving false positive alerts "Communication with possible phishing domain" on Defender for Cloud.
the Domain Name isn't malicious, i understand that i can create a suppression rule but is there another way for me to get Azure to actually rectify this incorrect info ?
example: bstatic.com is appearing in this alert for the Domain Name, but it belongs to Booking.com and nothing about it is malicious.
Thank you,
H
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Hadi D Thank you for reaching out to us, As I understand your concern is related to false alert reported by defender for cloud for "Communication with possible phishing domain" example: bstatic.com
Similar issue has been reported by one of the customers via support ticket last week, below are the findings and recommendations about this alert.
alertDisplayName: Communication with possible phishing domain
domainName: bstatic.com,
If there are no security events or DNS events on the resource reporting this alert, indicates DNS resolutions for bstatic.com
Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
On further investigating on this issue (by our internal team) - Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service. False positive alerts are expected from security tools from time to time.
There is not much we can do to suppress/ignore these alerts at the broader level, would recommend to triage these alerts and proceed with IR.
However I will share your feedback with my team if there is something we can do about this alert.
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.