Forum Discussion
URL Detonation Reputation - How do you like it?
Well, I just couldn't hold off on further comment. Things keep developing and my blown-away-ness keeps growing.
URL detonation reputation seems to be less popular now, in favor of the now super popular "URL Malicious Reputation", not sure if this was a rename or is actually just new categorization trends by EOP/MDO. In any case, here's the latest beef, and note I'm broadening the target for these pessimistic castings to cover EOP/MDO as a whole:
1.) I see a lot of URL Malicious Reputation emails being caught upon receipt. But then I also see a lot of these being caught by ZAP. What is most incredibly annoying about this, when the emails are truly bad, somehow EOP / MDO ALWAYS have to miss a small percentage and those messages slip though like they're perfectly fine, into Inbox. Exact same email sent to 100 users, ~5 will very-often get through as "No threats".
2.) When domain 123EXAMPLE321.COM makes the bad reputation list, and then remains on there, but about 15 days into this state, messages STILL SLIP THROUGH THE CRACKS as described in #1 - I call this completely inexplicable. The AI has but zero intelligence.
3.) As of late, when ZAP "fails to move message", Defender now is confused (or is now enlightened, really not sure which) and will not let us perform a manual remediation to move the item from Junk to Quarantine. Nor can we do that by using the Report as Phish/Junk remediate type, because if it's already in Junk, there's nothing to report, I guess? So what this results in is - message comes in, lands in Junk, and just as described in #2, seconds later ZAP wants to move it to Quarantine, but fails. Remediation options for admins = manually go an delete that message or ask the user to. There's nothing in Defender Portal nor EXO Admin Center that is going to let the admin do that. This is steps backwards.
The automation is nice, but when it repeatedly works like a (GIANT) raging bull in a china shop, hard to really appreciate it.
LanceVS I feel your pain. It's a helpless position to be in and MS Support is either completely under water or completely unsympathetic. Once you cross them with some passionate dissatisfaction it becomes a long silence game and eventually (usually only ever 30 days too late) you get asked for all new evidence to prove the issue still exists. By then my frustration is so high that I politely ask to close the case and move on out of self preservation.
Nobody would believe it's this bad without being in the weeds experiencing it. But the broad reputation strokes - I assume this is so bad that eventually competitors will use it as a laughing point when pitching the sale of their competing product. Albeit this (MS, EOP/MDO) is the company/ product I want to like and have invested my entire working life too. So it's tough.
Seems like endpoints need to be stronger at handling things they end up receiving, rather than servers shoving tons of false positives under the high confidence rug. Lose-lose maybe not sure.
Hope you get it sorted ASAP.
I have a client whose internal and external email is getting quarantined due to "URL Detonation Reputation". One of their staff has to constantly monitor the 365 quarantine and release their own internal messages to each other.
I've opened a ticket with Microsoft, but they didn't seem to help at all. It seemed to be getting better for a day or two, but has become an issue again.
- I have not seen any big solutions. You can use the TABL to allow senders/domains, or URLs. I think the latter is the one that comes into play a lot for this issue with URL detonation/malicious reputation. Hard to want to allow a generic domain like R20_dot_RS6_dot_NET which will guaranteed be redirecting to anywhere else, since it's a click-tracking (extremely popular one too) service. That one seems to have reappeared this week on the bad rep list, and oh boy, it's been painful, again.
It's definitely something where at least one staff member is going to be maxed out, if you have 100s or 1000s of mailboxes to worry about. There's a ton of automation taking place which is nice, however, to manually babysit said automation, and regularly needing to manually undo the automation..... you're looking at multiple FTE's spending 100% of their time. Until they get so good that they can automate even their part (which is doable, but takes a skilled vet with lots of energy).