Microsoft Defender - clients report an url being marked as malicious

Dmitry Petrov 21 Reputation points
2022-08-16T09:38:44.613+00:00

Hello everyone,

Our clients reported that one of the links in an email we're sending is being marked as malicious by Microsoft Defender. I've done a lot of searching and it seems like all the solution are tailored for the system administrators controlling a particular Microsoft Exchange / Microsoft office 365 instance and there is zero information about ways to appeal for cases like ours where our clients have a problem and not we.

One of the options frequently recommended is a submission portal - https://www.microsoft.com/en-us/wdsi/filesubmission/

However it clearly does not fit the case, because it's not about email attachment, the problem is about domain being marked as problematic.

What's the best way to solve this issue?

We've tried asking our clients to report false positives, tried raising paid support tickets, nothing helps

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,178 questions
{count} votes

Accepted answer
  1. Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff
    2022-08-17T06:44:16.463+00:00

    Hi @Dmitry Petrov ,
    According to my research, the Built-in protection preset security policy provides Safe Links protection to all recipients.
    You could suggest your clients refer to this link to submit the URL that was falsely positived to Microsoft for analysis to create allow URL entries.
    Or refer to the following link to create a Safe Links policy and add the URL that was falsely positived in “Do not rewrite the following URLs in email “section. This action will allow access to specific URLs that would otherwise be blocked by Safe Links.
    Set up Safe Links policies in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn
    231860-2022-8-17-1.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Josh Rippe 1 Reputation point
    2022-08-30T22:21:43.517+00:00

    A new SafeLinks policy with a list of URLs to not re-write and applied to a subset of users or domains is supposed to fix this issue, although I have never seen it actually work in practice. Microsoft replaced the global settings in safe links with the TABL (Tenant Allow/Block Lists) and the method of allowing a URL is done via submitting in the TABL interface. If you already have a custom SafeLinks policy outside of the built-in protections, edit the protection settings and add the URL(s) to the Do not rewrite section.

    In a pinch, you can also set up a transport rule in Exchange to bypass SafeLinks processing for certain users, or exclude them from existing policy. Neither is ideal for security purposes obviously.

    Lastly, there are lots of SafeLinks URL decoders online you can search for and use to decode the URL and provide to end users, also as a temporary workaround in order to keep your users working.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.