Forum Discussion
URL Detonation Reputation - How do you like it?
Well, I just couldn't hold off on further comment. Things keep developing and my blown-away-ness keeps growing.
URL detonation reputation seems to be less popular now, in favor of the now super popular "URL Malicious Reputation", not sure if this was a rename or is actually just new categorization trends by EOP/MDO. In any case, here's the latest beef, and note I'm broadening the target for these pessimistic castings to cover EOP/MDO as a whole:
1.) I see a lot of URL Malicious Reputation emails being caught upon receipt. But then I also see a lot of these being caught by ZAP. What is most incredibly annoying about this, when the emails are truly bad, somehow EOP / MDO ALWAYS have to miss a small percentage and those messages slip though like they're perfectly fine, into Inbox. Exact same email sent to 100 users, ~5 will very-often get through as "No threats".
2.) When domain 123EXAMPLE321.COM makes the bad reputation list, and then remains on there, but about 15 days into this state, messages STILL SLIP THROUGH THE CRACKS as described in #1 - I call this completely inexplicable. The AI has but zero intelligence.
3.) As of late, when ZAP "fails to move message", Defender now is confused (or is now enlightened, really not sure which) and will not let us perform a manual remediation to move the item from Junk to Quarantine. Nor can we do that by using the Report as Phish/Junk remediate type, because if it's already in Junk, there's nothing to report, I guess? So what this results in is - message comes in, lands in Junk, and just as described in #2, seconds later ZAP wants to move it to Quarantine, but fails. Remediation options for admins = manually go an delete that message or ask the user to. There's nothing in Defender Portal nor EXO Admin Center that is going to let the admin do that. This is steps backwards.
The automation is nice, but when it repeatedly works like a (GIANT) raging bull in a china shop, hard to really appreciate it.
This issue has been resolved for us, for now.
Having been 6.5 months into this, I'm not too optimistic. However emails have been hitting the inbox for 9 days now. This is by far the longest stint of the emails making the inbox - they usually stop after 48-72 hours.
I went through Professional Direct Support - although from what I can tell that didn't necessarily put me in front of anyone different from the regular support channels within the Admin Center. The difference is I have a point of contact so I'm not shuffled to different support engineers who make me start over from scratch describing the issue, etc.
They initially claimed they resolved the issue and as usual, the emails started to be blocked again after 72 hours. They wouldn't tell me what they did to get the emails to start going again.
This time around, I received the following:
My Support team confirmed that they have taken our website off the block list and have done what is needed to make sure that the problem is fully fixed. Please verify the behavior and continue to monitor it until Monday to make sure that it is completely resolved.
It's interesting for a couple of reasons.
Why couldn't this have been done at ANY POINT during the last 6.5 months?!
I was told over and over that they don't have access to this "block/filter list", and that the only way to get through it is to "train" it by submitting false positives to Microsoft. Which, that didn't work, after hundreds of submissions.
Any time I have come across this issue online and someone has gotten it resolved, they have stated support has said the exact same thing. That they were removed from a list.
I have no idea how to help anyone else experiencing this horrible situation. I tried referencing ticket numbers in the past and it didn't get me anywhere. But if you are lucky, here are my ticket numbers that were used. Perhaps they can look at them to see what the issue was.
2401090040001245
2402020040010329
I believe the top one is the one that did the trick, but I honestly don't know. And if I go look at my Service Request History, all of my correspondence shows up as null, when previously I could read every single email. That's not comforting.
I'm still going to wait another week or two to get more confidence that the issue is resolved. But hopefully I don't have to come back here reporting that the problem is back.
Good luck - again I apologize for anyone else experiencing this - it was the worst thing I have had to deal with with all of the time/energy put into it when from day 1 I knew exactly what needed to be done but Microsoft refused to provide appropriate help.
I just want to drop a short "me too". Since 02. May we experience exact the same problem. I'm sure, that this is a very faulty design and in a complexity, so that almost no one at Microsoft can see that this is going horrible wrong. And they have no idea, how many troubles and cost they are causing.
Thank you for sharing the ticket#, I have a very tiny bit of hope, that it can help in my case.
Since around the 5th May we've been experiencing the same problems with any emails that originate from us to our Office 365 using customers.
We're now five weeks into our support ticket and are no closer to resolving the issue.
Our customers, that mostly use Office 365 due to being businesses, can no longer receive any emails with links to our own company's product portal or documentation, it all gets caught by the quarantine mechanism as a High Confidence Phishing action, and the URLs marked as phishing.
We've submitted over 50 URL submissions via the Submissions area of the Microsoft Defender site, with most of them coming back as "Unknown - we checked, but a decision couldn't be made.".
This leaves us without any way of correcting the false positives, and Microsoft Support have so far not come back with any resolutions.URL Detonation Reputation is a train wreck that's destroying businesses.
- A few days ago the support solved my problem, after 6 weeks of sending the same information over and over again. My ticket# is 2405091420000182, maybe it helps if you reference to it.
All the best!
