![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 16%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFB%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Microsoft Defender for Office 365
Protection against phishing, malware, and other threats targeting email and collaboration tools in Microsoft 365
Microsoft Defender SmartScreen and Defender for Endpoint can classify a site as malicious based on URL reputation, page content, file behavior, TLS security, user feedback, and dynamic behavior. When that happens, users see a red block page and are prevented from accessing the site.
To get Microsoft to re-evaluate and remove an incorrect block (false positive), follow these steps:
- Use the “this site is safe” link on the block page
- On the SmartScreen/Defender block page in Microsoft Edge, select the link such as Report that this site doesn't contain (malware/phishing) threats under the More information section.
- Submit the requested details and contact email.
- Wait for the confirmation email from the SmartScreen Reputation Group and, if the issue is urgent, reply to that email to provide additional context and request expedited review.
- Submit the URL through the Microsoft submission portal
- If the block is being enforced by Defender web protection or Defender for Office 365, submit the affected URLs as false positives using the WDSI file submission portal. This can be done by both the site owner and impacted customers.
- Follow the guidance in Submit files for analysis to provide as much detail as possible (that the site is a digital greeting card service, approximate traffic, when the block started, etc.).
- Improve the site’s security posture to avoid future blocks
SmartScreen and Defender consider several dimensions when deciding whether to block a site. To reduce the likelihood of being flagged again:
- Ensure HTTPS is enabled everywhere and uses a valid, up-to-date certificate.
- Avoid frequent changes to hosting provider or DNS that can hurt domain reputation.
- Block iframes from loading unknown or untrusted third‑party content.
- Configure strong security headers such as Content Security Policy (CSP) and other secure response headers.
- Regularly scan the site and hosting environment for WebShells, trojans, and suspicious uploaded files.
- Ongoing monitoring and false-positive handling
- If customers are in organizations using Microsoft Defender for Endpoint with Web Content Filtering, admins can temporarily override the block with an Allow indicator while Microsoft completes its review.
- For future false positives, always use the link on the Edge block page to report the site as safe; this feeds directly into SmartScreen’s reputation system.
Following these steps gets the URL into the official SmartScreen/Defender review pipeline and addresses both the immediate false positive and the underlying factors that may have triggered the block.
References: