Forum Discussion
URL Detonation Reputation - How do you like it?
Well, I just couldn't hold off on further comment. Things keep developing and my blown-away-ness keeps growing.
URL detonation reputation seems to be less popular now, in favor of the now super popular "URL Malicious Reputation", not sure if this was a rename or is actually just new categorization trends by EOP/MDO. In any case, here's the latest beef, and note I'm broadening the target for these pessimistic castings to cover EOP/MDO as a whole:
1.) I see a lot of URL Malicious Reputation emails being caught upon receipt. But then I also see a lot of these being caught by ZAP. What is most incredibly annoying about this, when the emails are truly bad, somehow EOP / MDO ALWAYS have to miss a small percentage and those messages slip though like they're perfectly fine, into Inbox. Exact same email sent to 100 users, ~5 will very-often get through as "No threats".
2.) When domain 123EXAMPLE321.COM makes the bad reputation list, and then remains on there, but about 15 days into this state, messages STILL SLIP THROUGH THE CRACKS as described in #1 - I call this completely inexplicable. The AI has but zero intelligence.
3.) As of late, when ZAP "fails to move message", Defender now is confused (or is now enlightened, really not sure which) and will not let us perform a manual remediation to move the item from Junk to Quarantine. Nor can we do that by using the Report as Phish/Junk remediate type, because if it's already in Junk, there's nothing to report, I guess? So what this results in is - message comes in, lands in Junk, and just as described in #2, seconds later ZAP wants to move it to Quarantine, but fails. Remediation options for admins = manually go an delete that message or ask the user to. There's nothing in Defender Portal nor EXO Admin Center that is going to let the admin do that. This is steps backwards.
The automation is nice, but when it repeatedly works like a (GIANT) raging bull in a china shop, hard to really appreciate it.
Hi Jeremy,
how are you?
Thank you very much for this post.
I personally think that the Microsoft detonation reputation URL technology really sucks because it does not test whether the link is malicious, phishy or not.
Just 2 days ago my friend told me that his MS365 Outlook emails were not being received by some clients even though there were no viruses on his computer, he was not spamming, his WAN IP was not on a blacklist.
If he sent an email with just a text message, everything would be OK but if he attached an INVOICE PDF file his messages would not be delivered. I was able to send JPG, WORD files without issues.
I did a message trace on these messages to realise that they were being quarantined due to malware.
There was nothing wrong with his pdf file except for the URL of his website IE http://www.domain.com in the page header of his invoice.
He was creating the invoices with excel than exporting his invoice to PDF.
When I removed the URL of his website from the excel invoice template, the emails would deliver.
Therefore I temporarily modified his website URL of the invoice header to domain.com which allowed the email to be sent.
The URL detonation technology shouldn't assume that all links are bad. There should be some checking to verify if the links are malicious or not.
This could also cause inbound emails to be quarantined if they have links in them.
He only has a business standard subscriptions and he is not going to purchase a windows defender premium subscription because he is a small businessman.
I was able to create an exclusion under safelinks for his website URL but only for 30 days.
This is really disappointing.
Best regards
Alfred
- Hi Alfred,
We've had issues with PDFs too and I'm going to test the same as you did. Thanks! This could be really usefull. On the long run though, we did the same and added our domain on the allow list for safe links, but so far that has only allowed the emails to leave our tenant. Customers and clients who work with Microsoft quarantine the messages on their end now so we still don't have any functioning email communication available to us. People have even tried to send invoices and reports as PDFs from their private emails, but if they contain our domain, the other organizations don't receive the messages. There must be away to get a domain off that list, right? AlfredB what you described - seeing it often. The M365 apps to PDF seems to be a regular trait of the situations. Makes me think they give too much weight to URLs particularly when in attached PDFs. But I agree. This is a lot of reaching with these intense verdicts.
That said, this points out how relevant the Quarantine policy permission "Request to release" is. I personally feel all threat types should be quarantined not rejected, and for the worst threats, Request to Release permission. This way admins don't have to be on the hook for missing false positives that go away permanently. Users would be responsible to review their own Quarantine.
Problem is, there's a ton of high confidence Phish so it can lead to Quarantine fatigue for users.
Email is a little annoying in this area.
