Forum Discussion
URL Detonation Reputation - How do you like it?
Well, I just couldn't hold off on further comment. Things keep developing and my blown-away-ness keeps growing.
URL detonation reputation seems to be less popular now, in favor of the now super popular "URL Malicious Reputation", not sure if this was a rename or is actually just new categorization trends by EOP/MDO. In any case, here's the latest beef, and note I'm broadening the target for these pessimistic castings to cover EOP/MDO as a whole:
1.) I see a lot of URL Malicious Reputation emails being caught upon receipt. But then I also see a lot of these being caught by ZAP. What is most incredibly annoying about this, when the emails are truly bad, somehow EOP / MDO ALWAYS have to miss a small percentage and those messages slip though like they're perfectly fine, into Inbox. Exact same email sent to 100 users, ~5 will very-often get through as "No threats".
2.) When domain 123EXAMPLE321.COM makes the bad reputation list, and then remains on there, but about 15 days into this state, messages STILL SLIP THROUGH THE CRACKS as described in #1 - I call this completely inexplicable. The AI has but zero intelligence.
3.) As of late, when ZAP "fails to move message", Defender now is confused (or is now enlightened, really not sure which) and will not let us perform a manual remediation to move the item from Junk to Quarantine. Nor can we do that by using the Report as Phish/Junk remediate type, because if it's already in Junk, there's nothing to report, I guess? So what this results in is - message comes in, lands in Junk, and just as described in #2, seconds later ZAP wants to move it to Quarantine, but fails. Remediation options for admins = manually go an delete that message or ask the user to. There's nothing in Defender Portal nor EXO Admin Center that is going to let the admin do that. This is steps backwards.
The automation is nice, but when it repeatedly works like a (GIANT) raging bull in a china shop, hard to really appreciate it.
Thanks for posting. I've been dealing with this exact issue for 4 months (!!!). It's been EXTREMELY frustrating. My business can't send emails to any MS email with my domain in it, and it affects all of my clients as well - sending links to their customers.
Every day I submit emails for review that were quarantined and most stated "should not have been blocked". I also submit my base domain URL to the URL section, and it usually states the same.
However, the emails continue to be blocked.
Every now and then (maybe once every two weeks?) emails will start to come through. But then after a day or two, ZAP comes along and retroactively removes everything from the inbox and reinstates the block. It's so frustrating.
MS Support Engineers are absolutely clueless, or just don't have the tools necessary to deal with this. They continue to want to resolve the issue at a single tenant level, which is completely ludicrous because this affects ALL TENANTS. It's not a tenant issue - it's a MS issue, blocking/marking my domain as High Confidence Phish. For reasons I have no idea why.
If they would work with me to determine the reason it's happening and allow me to fix it (if there even is a problem), and verify the domain is legit, it would be very helpful. Until then, my business continues to be hammered with customers leaving because email notifications are important aspect and they see how long it's taking and are getting frustrated and going elsewhere.
LanceVS I feel your pain. It's a helpless position to be in and MS Support is either completely under water or completely unsympathetic. Once you cross them with some passionate dissatisfaction it becomes a long silence game and eventually (usually only ever 30 days too late) you get asked for all new evidence to prove the issue still exists. By then my frustration is so high that I politely ask to close the case and move on out of self preservation.
Nobody would believe it's this bad without being in the weeds experiencing it. But the broad reputation strokes - I assume this is so bad that eventually competitors will use it as a laughing point when pitching the sale of their competing product. Albeit this (MS, EOP/MDO) is the company/ product I want to like and have invested my entire working life too. So it's tough.
Seems like endpoints need to be stronger at handling things they end up receiving, rather than servers shoving tons of false positives under the high confidence rug. Lose-lose maybe not sure.
Hope you get it sorted ASAP.
- Has anyone else come up with a method for getting around this?
I have a client whose internal and external email is getting quarantined due to "URL Detonation Reputation". One of their staff has to constantly monitor the 365 quarantine and release their own internal messages to each other.
I've opened a ticket with Microsoft, but they didn't seem to help at all. It seemed to be getting better for a day or two, but has become an issue again.- I have not seen any big solutions. You can use the TABL to allow senders/domains, or URLs. I think the latter is the one that comes into play a lot for this issue with URL detonation/malicious reputation. Hard to want to allow a generic domain like R20_dot_RS6_dot_NET which will guaranteed be redirecting to anywhere else, since it's a click-tracking (extremely popular one too) service. That one seems to have reappeared this week on the bad rep list, and oh boy, it's been painful, again.
It's definitely something where at least one staff member is going to be maxed out, if you have 100s or 1000s of mailboxes to worry about. There's a ton of automation taking place which is nice, however, to manually babysit said automation, and regularly needing to manually undo the automation..... you're looking at multiple FTE's spending 100% of their time. Until they get so good that they can automate even their part (which is doable, but takes a skilled vet with lots of energy).
