Since mid July, Microsoft's spam-filter has been blocking all e-mails containing the URL to our company web site, but ONLY when the URL includes the 'www' part. References to the main domain work perfectly fine. This happens regardless of who the sender is, and the reason is given as 'anti-malware protection'.
We do know that the SSL certificate for our web site was incorrectly configured for the www variant of the URL for a while, but this was fixed on August 16th. We have since reviewed configuration and submitted the affected URL as a false positive through Microsoft 365 admin center several times, but the system still insists the URL should have been blocked. Again, the naked domain leading to the exact same content is accepted without a hitch.
Office 365 support, our web hosting company, and several IT consultants have been unable to identify a reason. Other systems we have tried, scan our web site as low risk and perfectly OK.
Can someone with insight in Microsofts spam filter find the concrete reason why the URL is blocked, so we can remedy whatever fault remains on our web site?
Could the URL still be affected by some sort of override/quarantine due to earlier certificate issues, and if so, how long it will last?