Forum Discussion
JeremyTBradshaw
Oct 03, 2023Steel Contributor
URL Detonation Reputation - How do you like it?
I personally have found this detection technology to be a huge pain in the buttocks. To me, this feature doesn't really look at specific threats or risks, it just says "You cannot do anything that involves this domain name". And with that analogy, "involves" translates to any of the following:
- Domain is in the subject or body
- One of the included recipient addresses to which the message is addressed uses the domain.
- One of the recipients who show in the body of the email due to it being a conversation/thread, uses that domain in their address.
- An attachment includes that domain within its text (PDF, Word, Excel, TXT, all personally observed by me).
These things get blocked as "High confidence phish". To me, they are not that whatsoever, until the message itself is doing some of the "phish" verb. This feels like an overstep on the verdict and I'd prefer they come up with a new name for the detection type, as well as a new drop down box for us to choose between MoveToJunk or Quarantine. Most times I've observed this feature "saving" clients, it's a pain in the butt for the client.
I will point out the one improvement I've seen since I started belly-aching over this - it is that Microsoft now puts the bad URL/domain from within the attachments, into the list of URLs in the email entity page within M365 Defender portal. So there is at least that there now, which adds the improvement of not having to go through MS Support to find out what is the supposed bad-rep URL.
Would like to know if anyone else finds this feature as a pain for the most part, and hear any other suggestions, or just confirmations about my suggestion (new category of detection so we don't have to treat these things like (HC)phish).
Well, I just couldn't hold off on further comment. Things keep developing and my blown-away-ness keeps growing.
URL detonation reputation seems to be less popular now, in favor of the now super popular "URL Malicious Reputation", not sure if this was a rename or is actually just new categorization trends by EOP/MDO. In any case, here's the latest beef, and note I'm broadening the target for these pessimistic castings to cover EOP/MDO as a whole:
1.) I see a lot of URL Malicious Reputation emails being caught upon receipt. But then I also see a lot of these being caught by ZAP. What is most incredibly annoying about this, when the emails are truly bad, somehow EOP / MDO ALWAYS have to miss a small percentage and those messages slip though like they're perfectly fine, into Inbox. Exact same email sent to 100 users, ~5 will very-often get through as "No threats".
2.) When domain 123EXAMPLE321.COM makes the bad reputation list, and then remains on there, but about 15 days into this state, messages STILL SLIP THROUGH THE CRACKS as described in #1 - I call this completely inexplicable. The AI has but zero intelligence.
3.) As of late, when ZAP "fails to move message", Defender now is confused (or is now enlightened, really not sure which) and will not let us perform a manual remediation to move the item from Junk to Quarantine. Nor can we do that by using the Report as Phish/Junk remediate type, because if it's already in Junk, there's nothing to report, I guess? So what this results in is - message comes in, lands in Junk, and just as described in #2, seconds later ZAP wants to move it to Quarantine, but fails. Remediation options for admins = manually go an delete that message or ask the user to. There's nothing in Defender Portal nor EXO Admin Center that is going to let the admin do that. This is steps backwards.
The automation is nice, but when it repeatedly works like a (GIANT) raging bull in a china shop, hard to really appreciate it.
- josh385Copper ContributorFor our issue, it turned out to be in the email signature. Something in there, whether it was URL or whatever caused it. I removed the signature and emails went right through.
- LanceVSCopper Contributor
This issue has been resolved for us, for now.
Having been 6.5 months into this, I'm not too optimistic. However emails have been hitting the inbox for 9 days now. This is by far the longest stint of the emails making the inbox - they usually stop after 48-72 hours.
I went through Professional Direct Support - although from what I can tell that didn't necessarily put me in front of anyone different from the regular support channels within the Admin Center. The difference is I have a point of contact so I'm not shuffled to different support engineers who make me start over from scratch describing the issue, etc.
They initially claimed they resolved the issue and as usual, the emails started to be blocked again after 72 hours. They wouldn't tell me what they did to get the emails to start going again.
This time around, I received the following:
My Support team confirmed that they have taken our website off the block list and have done what is needed to make sure that the problem is fully fixed. Please verify the behavior and continue to monitor it until Monday to make sure that it is completely resolved.
It's interesting for a couple of reasons.
Why couldn't this have been done at ANY POINT during the last 6.5 months?!
I was told over and over that they don't have access to this "block/filter list", and that the only way to get through it is to "train" it by submitting false positives to Microsoft. Which, that didn't work, after hundreds of submissions.
Any time I have come across this issue online and someone has gotten it resolved, they have stated support has said the exact same thing. That they were removed from a list.
I have no idea how to help anyone else experiencing this horrible situation. I tried referencing ticket numbers in the past and it didn't get me anywhere. But if you are lucky, here are my ticket numbers that were used. Perhaps they can look at them to see what the issue was.
2401090040001245
2402020040010329
I believe the top one is the one that did the trick, but I honestly don't know. And if I go look at my Service Request History, all of my correspondence shows up as null, when previously I could read every single email. That's not comforting.
I'm still going to wait another week or two to get more confidence that the issue is resolved. But hopefully I don't have to come back here reporting that the problem is back.
Good luck - again I apologize for anyone else experiencing this - it was the worst thing I have had to deal with with all of the time/energy put into it when from day 1 I knew exactly what needed to be done but Microsoft refused to provide appropriate help.
- WKlennerCopper Contributor
I just want to drop a short "me too". Since 02. May we experience exact the same problem. I'm sure, that this is a very faulty design and in a complexity, so that almost no one at Microsoft can see that this is going horrible wrong. And they have no idea, how many troubles and cost they are causing.
Thank you for sharing the ticket#, I have a very tiny bit of hope, that it can help in my case.
- AlvyTechCopper Contributor
Since around the 5th May we've been experiencing the same problems with any emails that originate from us to our Office 365 using customers.
We're now five weeks into our support ticket and are no closer to resolving the issue.
Our customers, that mostly use Office 365 due to being businesses, can no longer receive any emails with links to our own company's product portal or documentation, it all gets caught by the quarantine mechanism as a High Confidence Phishing action, and the URLs marked as phishing.
We've submitted over 50 URL submissions via the Submissions area of the Microsoft Defender site, with most of them coming back as "Unknown - we checked, but a decision couldn't be made.".
This leaves us without any way of correcting the false positives, and Microsoft Support have so far not come back with any resolutions.URL Detonation Reputation is a train wreck that's destroying businesses.
- LanceVSCopper Contributor
Thanks for posting. I've been dealing with this exact issue for 4 months (!!!). It's been EXTREMELY frustrating. My business can't send emails to any MS email with my domain in it, and it affects all of my clients as well - sending links to their customers.
Every day I submit emails for review that were quarantined and most stated "should not have been blocked". I also submit my base domain URL to the URL section, and it usually states the same.
However, the emails continue to be blocked.
Every now and then (maybe once every two weeks?) emails will start to come through. But then after a day or two, ZAP comes along and retroactively removes everything from the inbox and reinstates the block. It's so frustrating.
MS Support Engineers are absolutely clueless, or just don't have the tools necessary to deal with this. They continue to want to resolve the issue at a single tenant level, which is completely ludicrous because this affects ALL TENANTS. It's not a tenant issue - it's a MS issue, blocking/marking my domain as High Confidence Phish. For reasons I have no idea why.
If they would work with me to determine the reason it's happening and allow me to fix it (if there even is a problem), and verify the domain is legit, it would be very helpful. Until then, my business continues to be hammered with customers leaving because email notifications are important aspect and they see how long it's taking and are getting frustrated and going elsewhere.
- JeremyTBradshawSteel Contributor
LanceVS I feel your pain. It's a helpless position to be in and MS Support is either completely under water or completely unsympathetic. Once you cross them with some passionate dissatisfaction it becomes a long silence game and eventually (usually only ever 30 days too late) you get asked for all new evidence to prove the issue still exists. By then my frustration is so high that I politely ask to close the case and move on out of self preservation.
Nobody would believe it's this bad without being in the weeds experiencing it. But the broad reputation strokes - I assume this is so bad that eventually competitors will use it as a laughing point when pitching the sale of their competing product. Albeit this (MS, EOP/MDO) is the company/ product I want to like and have invested my entire working life too. So it's tough.
Seems like endpoints need to be stronger at handling things they end up receiving, rather than servers shoving tons of false positives under the high confidence rug. Lose-lose maybe not sure.
Hope you get it sorted ASAP.
- Jeremy705Copper ContributorHas anyone else come up with a method for getting around this?
I have a client whose internal and external email is getting quarantined due to "URL Detonation Reputation". One of their staff has to constantly monitor the 365 quarantine and release their own internal messages to each other.
I've opened a ticket with Microsoft, but they didn't seem to help at all. It seemed to be getting better for a day or two, but has become an issue again.
- jvanbeusekomBrass ContributorI really would like an option to disable this. Too many emails are being blocked what should not have. Really annoying.
Even internal email is now being blocked due to this. - JeremyTBradshawSteel ContributorToday, one of the larger global mass mailing companies finds one of their VERY popular domains on Microsoft's URL detonation reputation bad list. I don't want to say the domain, but can only assume the entire planet is working overtime right now and tonight doing damage control. It's a real nightmare this feature. The mass mailer's click-tracking links use this affected domain, and in one large tenant this means several 1000 emails to the quarantine today. I imagine it is billions if not trillions of emails across all EOP / MDO customers. Many of these detections would be no threat directly involved. Customers have no way to know and only know that Safe Links thinks every last one of them must be phishing.
There's got to be a better and more graceful way for this product feature to exist. This is downright insanity.- AlfredBCopper ContributorHi Jeremy,
how are you?
I think that Microsoft must be made accountable for this problem and start compensating their clients for the damage caused.
MS must fix this problem ASAP. People can't wait, they are missing out on inbound and outbound emails if their domain URL is detected as Malware. This means loss of potential business and money.
Best regards
Alfred- onandoffBrass ContributorJust an update which I hope others may find useful: after opening a support case with MS, we've learned that submitting the URLs (not, or not only, the emails) as false positives, their machine algorithm is considerably improving. Not only the messages with URLs in that CC domain are no longer identified as HCPhish by URL Detonation Reputation, but even majority of the previously quarantined emails were reprocessed and released to users' mailboxes.
- onandoffBrass ContributorI fully agree with your statements; we suffer the same and there's no point in reiterating.
One additional comment: every too often we cannot avoid the feeling that MS is using its customer base admins as the "human eye" in support of their machine learning algorithms.
I am not sure if MS took the article down or I am just unable to find it, but thanks to google's cache, we can still see how MDO's backend should work: https://webcache.googleusercontent.com/search?q=cache:e6jE_JBWBUcJ:https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/reporting-an-email-in-microsoft-defender-for-office-365/ba-p/2870231&cd=11&hl=en&ct=clnk&gl=it
- Ana_B2110Copper Contributor
For a week now, all email communication to and from our organization, containing any notion of our own domain name has been directed to the quarantine based on the URL detonation reputation because our domain is marked to allegedly contain malware. We have had the servers scanned through and throughout and the website is clean and Microsoft has confirmed to us that it's an issue on their part. The consequences for our business are catastrophic. Even if I release every single message sent from the organization, there is not quarantee that the recieving organization will not quarantine it either on the way in or once it's responded to. A ticket with Microsoft has not helped solve the issue by now. This is like a Denial of Service attack on our company from the side of Microsoft and I'm very angry that it's taking so long to solve it.
- AlfredBCopper Contributor
Yes, Microsoft has detonated your/our businesses with their buggy detonation URL technology.
MS should pay clients for the damage that they have caused to businesses.
In the mean time, while they are trying to fix their problems, MS should provide the ability to disable detonation technology.
Pissssedoff consumer
- JeremyTBradshawSteel ContributorI'm sorry to hear that, and I've not actually even heard the perspective of a live bad-rep. domain holder yet. I can only speak for the recipient side. In any case, I can understand the danger being prevented, but it really should be surfaced to customers (sending/receiving) sooner and more obviously.
Again, I suggest every customer take full advantage of the 30-day quarantine, and end user notifications as there is no other way to be on top of false positives at scale, safely. Not saying users have to be allowed to release everything, just saying they should be in the loop and helping identify when something important has not been delivered.
EOP/MDO excel and are tremendous in that regard.- Ana_B2110Copper Contributor
Unfortunately private quarantines would not make any difference in this case. We've advanced so far now that most internal messages can be sent and received without a detour to the quarantine and email can also be sent out. I'm only releasing a few messages a day by now. The problem has moved away from our tenants control. A message trace shows that all outgoing messages are still flagged as containing Malware in the URL which gets picked up by the external organizations quarantine policies if they are working in the Microsoft environment. As a consequence we do not get any replies to our emails and all our partners now think that we are distributing malware, which we are not.
The support technician concluded that this is likely because our webhost is listed on a blacklist called UCEPROTECTL3, which lists entire IP ranges instead of single domains. They have had our webhost, one of the biggest web hosts in the world, on the list since 2021. The fact that one can pay to be removed from the list does not speak values of the seriousness of this list provider and I don't think Microsoft should actually use it if they do. It's like the police imprisoning everyone who lives on the same street as someone who robbed the bank so they can keep the street safe.
Interestingly our IP-address is not flagged as Malware if added to the message, only the domain in text (with or without hyperlink). We have now taken steps to move to another webhost but we are not convinced that it will necessarily solve the issue. Just another big cost of this whole mess 😕
- AlfredBCopper Contributor
Hi Jeremy,
how are you?
Thank you very much for this post.
I personally think that the Microsoft detonation reputation URL technology really sucks because it does not test whether the link is malicious, phishy or not.
Just 2 days ago my friend told me that his MS365 Outlook emails were not being received by some clients even though there were no viruses on his computer, he was not spamming, his WAN IP was not on a blacklist.
If he sent an email with just a text message, everything would be OK but if he attached an INVOICE PDF file his messages would not be delivered. I was able to send JPG, WORD files without issues.
I did a message trace on these messages to realise that they were being quarantined due to malware.
There was nothing wrong with his pdf file except for the URL of his website IE www.domain.com in the page header of his invoice.
He was creating the invoices with excel than exporting his invoice to PDF.
When I removed the URL of his website from the excel invoice template, the emails would deliver.
Therefore I temporarily modified his website URL of the invoice header to domain.com which allowed the email to be sent.
The URL detonation technology shouldn't assume that all links are bad. There should be some checking to verify if the links are malicious or not.
This could also cause inbound emails to be quarantined if they have links in them.
He only has a business standard subscriptions and he is not going to purchase a windows defender premium subscription because he is a small businessman.
I was able to create an exclusion under safelinks for his website URL but only for 30 days.
This is really disappointing.
Best regards
Alfred
- Ana_B2110Copper ContributorHi Alfred,
We've had issues with PDFs too and I'm going to test the same as you did. Thanks! This could be really usefull. On the long run though, we did the same and added our domain on the allow list for safe links, but so far that has only allowed the emails to leave our tenant. Customers and clients who work with Microsoft quarantine the messages on their end now so we still don't have any functioning email communication available to us. People have even tried to send invoices and reports as PDFs from their private emails, but if they contain our domain, the other organizations don't receive the messages. There must be away to get a domain off that list, right? - JeremyTBradshawSteel Contributor
AlfredB what you described - seeing it often. The M365 apps to PDF seems to be a regular trait of the situations. Makes me think they give too much weight to URLs particularly when in attached PDFs. But I agree. This is a lot of reaching with these intense verdicts.
That said, this points out how relevant the Quarantine policy permission "Request to release" is. I personally feel all threat types should be quarantined not rejected, and for the worst threats, Request to Release permission. This way admins don't have to be on the hook for missing false positives that go away permanently. Users would be responsible to review their own Quarantine.
Problem is, there's a ton of high confidence Phish so it can lead to Quarantine fatigue for users.
Email is a little annoying in this area.