Forum Discussion
URL Detonation Reputation - How do you like it?
Well, I just couldn't hold off on further comment. Things keep developing and my blown-away-ness keeps growing.
URL detonation reputation seems to be less popular now, in favor of the now super popular "URL Malicious Reputation", not sure if this was a rename or is actually just new categorization trends by EOP/MDO. In any case, here's the latest beef, and note I'm broadening the target for these pessimistic castings to cover EOP/MDO as a whole:
1.) I see a lot of URL Malicious Reputation emails being caught upon receipt. But then I also see a lot of these being caught by ZAP. What is most incredibly annoying about this, when the emails are truly bad, somehow EOP / MDO ALWAYS have to miss a small percentage and those messages slip though like they're perfectly fine, into Inbox. Exact same email sent to 100 users, ~5 will very-often get through as "No threats".
2.) When domain 123EXAMPLE321.COM makes the bad reputation list, and then remains on there, but about 15 days into this state, messages STILL SLIP THROUGH THE CRACKS as described in #1 - I call this completely inexplicable. The AI has but zero intelligence.
3.) As of late, when ZAP "fails to move message", Defender now is confused (or is now enlightened, really not sure which) and will not let us perform a manual remediation to move the item from Junk to Quarantine. Nor can we do that by using the Report as Phish/Junk remediate type, because if it's already in Junk, there's nothing to report, I guess? So what this results in is - message comes in, lands in Junk, and just as described in #2, seconds later ZAP wants to move it to Quarantine, but fails. Remediation options for admins = manually go an delete that message or ask the user to. There's nothing in Defender Portal nor EXO Admin Center that is going to let the admin do that. This is steps backwards.
The automation is nice, but when it repeatedly works like a (GIANT) raging bull in a china shop, hard to really appreciate it.
For a week now, all email communication to and from our organization, containing any notion of our own domain name has been directed to the quarantine based on the URL detonation reputation because our domain is marked to allegedly contain malware. We have had the servers scanned through and throughout and the website is clean and Microsoft has confirmed to us that it's an issue on their part. The consequences for our business are catastrophic. Even if I release every single message sent from the organization, there is not quarantee that the recieving organization will not quarantine it either on the way in or once it's responded to. A ticket with Microsoft has not helped solve the issue by now. This is like a Denial of Service attack on our company from the side of Microsoft and I'm very angry that it's taking so long to solve it.
Yes, Microsoft has detonated your/our businesses with their buggy detonation URL technology.
MS should pay clients for the damage that they have caused to businesses.
In the mean time, while they are trying to fix their problems, MS should provide the ability to disable detonation technology.
Pissssedoff consumer
- I'm sorry to hear that, and I've not actually even heard the perspective of a live bad-rep. domain holder yet. I can only speak for the recipient side. In any case, I can understand the danger being prevented, but it really should be surfaced to customers (sending/receiving) sooner and more obviously.
Again, I suggest every customer take full advantage of the 30-day quarantine, and end user notifications as there is no other way to be on top of false positives at scale, safely. Not saying users have to be allowed to release everything, just saying they should be in the loop and helping identify when something important has not been delivered.
EOP/MDO excel and are tremendous in that regard.Unfortunately private quarantines would not make any difference in this case. We've advanced so far now that most internal messages can be sent and received without a detour to the quarantine and email can also be sent out. I'm only releasing a few messages a day by now. The problem has moved away from our tenants control. A message trace shows that all outgoing messages are still flagged as containing Malware in the URL which gets picked up by the external organizations quarantine policies if they are working in the Microsoft environment. As a consequence we do not get any replies to our emails and all our partners now think that we are distributing malware, which we are not.
The support technician concluded that this is likely because our webhost is listed on a blacklist called UCEPROTECTL3, which lists entire IP ranges instead of single domains. They have had our webhost, one of the biggest web hosts in the world, on the list since 2021. The fact that one can pay to be removed from the list does not speak values of the seriousness of this list provider and I don't think Microsoft should actually use it if they do. It's like the police imprisoning everyone who lives on the same street as someone who robbed the bank so they can keep the street safe.
Interestingly our IP-address is not flagged as Malware if added to the message, only the domain in text (with or without hyperlink). We have now taken steps to move to another webhost but we are not convinced that it will necessarily solve the issue. Just another big cost of this whole mess 😕
- Sorry again, to confirm I only meant the Quarantine 30-day point as a proactive general statement for all customers, to increase their chances of finding mail that has failed to deliver and do damage control. In this case, referring to all your recipients and hoping that they use and manage their quarantine.
I guess another way to say my point is that everyone should expect a certain amount of false positives because they happen a lot. Not saying it's good or OK etc.
