Forum Discussion
URL Detonation Reputation - How do you like it?
Well, I just couldn't hold off on further comment. Things keep developing and my blown-away-ness keeps growing.
URL detonation reputation seems to be less popular now, in favor of the now super popular "URL Malicious Reputation", not sure if this was a rename or is actually just new categorization trends by EOP/MDO. In any case, here's the latest beef, and note I'm broadening the target for these pessimistic castings to cover EOP/MDO as a whole:
1.) I see a lot of URL Malicious Reputation emails being caught upon receipt. But then I also see a lot of these being caught by ZAP. What is most incredibly annoying about this, when the emails are truly bad, somehow EOP / MDO ALWAYS have to miss a small percentage and those messages slip though like they're perfectly fine, into Inbox. Exact same email sent to 100 users, ~5 will very-often get through as "No threats".
2.) When domain 123EXAMPLE321.COM makes the bad reputation list, and then remains on there, but about 15 days into this state, messages STILL SLIP THROUGH THE CRACKS as described in #1 - I call this completely inexplicable. The AI has but zero intelligence.
3.) As of late, when ZAP "fails to move message", Defender now is confused (or is now enlightened, really not sure which) and will not let us perform a manual remediation to move the item from Junk to Quarantine. Nor can we do that by using the Report as Phish/Junk remediate type, because if it's already in Junk, there's nothing to report, I guess? So what this results in is - message comes in, lands in Junk, and just as described in #2, seconds later ZAP wants to move it to Quarantine, but fails. Remediation options for admins = manually go an delete that message or ask the user to. There's nothing in Defender Portal nor EXO Admin Center that is going to let the admin do that. This is steps backwards.
The automation is nice, but when it repeatedly works like a (GIANT) raging bull in a china shop, hard to really appreciate it.
There's got to be a better and more graceful way for this product feature to exist. This is downright insanity.
how are you?
I think that Microsoft must be made accountable for this problem and start compensating their clients for the damage caused.
MS must fix this problem ASAP. People can't wait, they are missing out on inbound and outbound emails if their domain URL is detected as Malware. This means loss of potential business and money.
Best regards
Alfred
- Just an update which I hope others may find useful: after opening a support case with MS, we've learned that submitting the URLs (not, or not only, the emails) as false positives, their machine algorithm is considerably improving. Not only the messages with URLs in that CC domain are no longer identified as HCPhish by URL Detonation Reputation, but even majority of the previously quarantined emails were reprocessed and released to users' mailboxes.
- onandoff - How did you get Microsoft to resolve this for you? Did you just open a ticket and support took care of it on the backend or you just submitted a URL submission for whitelist and they approved it?
- I've opened a severity A case
They asked for URL submissions (which we didn't have, we had only email submissions), we've made during the call a couple of submissions and tested. Even as they said it takes up to 24 hours to review the submission, we started seeing results immediately.
I then submitted even more similar URLs (quantity also counts) and after 24 hours, as expected, some had verdict changed as Should not have been blocked and some maintained as Should have been blocked.
The number of false positives dropped almost completely for messages with those URLs, while some correctly detected from same domain, continued to be blocked (basically MDO URL Detonation Reputation started acting as it should 🙂 ).
- Only issue is that MS keeps denying my URL requests to whitelist the URL 😞
My clients domain came up on the the UCEPROTECTL3 blacklist that Ana_B2110 mentioned above. (Not an issue with my clients website but the webhost entire subnet was on the blacklist)
We had my client move there entire website to a new webhost so their domain no longer is on any blacklists but Microsoft keeps denying the URL whitelist requests with "Should have been blocked"
It's been almost 2 weeks since my client has moved their website and gotten off the UCEPROTECTL3 list.
I have also opened a ticket MS premier support back in October of this and all they did was ask for all my URL Submission IDs and examples of message that got quarantined. I provided them with everything they needed and they went completely dark. Haven't heard from them in 5 days.
Beyond frustrated. - Tha is for the info and AlfredB I'm good thanks.
I'll add here that 8 do acknowledge we don't get to know what great danger Microsoft has saved us all from. I wish we had more toggles and dials to work with. They could make ZAP more confurable for one. The fact that they are also UN-ZAP'ing is nice, but again at scale if you're an admin and people coming to you for numbers and solutions, 😬🤔
I am torn, but now that I'm through this big bout, I feel like it was a chance to sharpen my Explorer and Advanced Hunting, as well as Excel pivot tables to really disect all the emails and determine which ones might be important to release from Quarantine.
It's probably a safe bet for all email admins, but in this lane, EOP/MDO customers should really get fluent with the tools for mass reviewing and handling messages in these scenarios. It's tough because you can't just export everything all at once as the data is too big, so you need strategy before you can even see all the lay of the land.
They do offer some amazing tools (Explorer and Advanced Hunting are fantastic and improving fast).
They might need to overhaul URL detonation reputation. That thing is hurting businesses.
