Forum Discussion
URL Detonation Reputation - How do you like it?
Well, I just couldn't hold off on further comment. Things keep developing and my blown-away-ness keeps growing.
URL detonation reputation seems to be less popular now, in favor of the now super popular "URL Malicious Reputation", not sure if this was a rename or is actually just new categorization trends by EOP/MDO. In any case, here's the latest beef, and note I'm broadening the target for these pessimistic castings to cover EOP/MDO as a whole:
1.) I see a lot of URL Malicious Reputation emails being caught upon receipt. But then I also see a lot of these being caught by ZAP. What is most incredibly annoying about this, when the emails are truly bad, somehow EOP / MDO ALWAYS have to miss a small percentage and those messages slip though like they're perfectly fine, into Inbox. Exact same email sent to 100 users, ~5 will very-often get through as "No threats".
2.) When domain 123EXAMPLE321.COM makes the bad reputation list, and then remains on there, but about 15 days into this state, messages STILL SLIP THROUGH THE CRACKS as described in #1 - I call this completely inexplicable. The AI has but zero intelligence.
3.) As of late, when ZAP "fails to move message", Defender now is confused (or is now enlightened, really not sure which) and will not let us perform a manual remediation to move the item from Junk to Quarantine. Nor can we do that by using the Report as Phish/Junk remediate type, because if it's already in Junk, there's nothing to report, I guess? So what this results in is - message comes in, lands in Junk, and just as described in #2, seconds later ZAP wants to move it to Quarantine, but fails. Remediation options for admins = manually go an delete that message or ask the user to. There's nothing in Defender Portal nor EXO Admin Center that is going to let the admin do that. This is steps backwards.
The automation is nice, but when it repeatedly works like a (GIANT) raging bull in a china shop, hard to really appreciate it.
I just want to drop a short "me too". Since 02. May we experience exact the same problem. I'm sure, that this is a very faulty design and in a complexity, so that almost no one at Microsoft can see that this is going horrible wrong. And they have no idea, how many troubles and cost they are causing.
Thank you for sharing the ticket#, I have a very tiny bit of hope, that it can help in my case.
Since around the 5th May we've been experiencing the same problems with any emails that originate from us to our Office 365 using customers.
We're now five weeks into our support ticket and are no closer to resolving the issue.
Our customers, that mostly use Office 365 due to being businesses, can no longer receive any emails with links to our own company's product portal or documentation, it all gets caught by the quarantine mechanism as a High Confidence Phishing action, and the URLs marked as phishing.
We've submitted over 50 URL submissions via the Submissions area of the Microsoft Defender site, with most of them coming back as "Unknown - we checked, but a decision couldn't be made.".
This leaves us without any way of correcting the false positives, and Microsoft Support have so far not come back with any resolutions.
URL Detonation Reputation is a train wreck that's destroying businesses.
- A few days ago the support solved my problem, after 6 weeks of sending the same information over and over again. My ticket# is 2405091420000182, maybe it helps if you reference to it.
All the best! AlvyTechSo sorry to hear that - it's a horrible situation.
We have thankfully remained off the block list since the issue was finally resolved in March. But the anxiety of not knowing what's to come in the future is definitely real.
Hoping you can somehow utilize my ticket numbers to help find a solution. There's something on Microsoft's end that they need to do, and they will drag you along for weeks (months) telling you there's nothing they can do to "train their AI". However, there's clearly a simple list they can edit or something somewhere, as our issue was resolved immediately once they finally completed some sort of action.
Wishing you all the best.
- I know I've already said it a few times but this topic is exactly why the average M365 customer needs to make sure they Quarantine rather than Reject, and use the 30 days (max allowed), giving themselves the best chance at not missing important emails. The Quarantine Policy permission of Request to Release is nice to have, especially for High Confidence Phish, but then this will also add to the Quarantine noise/fatigue for users so it's a toughy. It's hard to pick a stance on this one. You might get saved by something really bad sometime(s), but otherwise, you're being impacted negatively a lot of the time. Wish there was a way to see all the domains on the URL detonation reputation and URL malicious reputation lists. Or at least the domains added within the last NN weeks or so. For big orgs, it's too much to ask of admins for them to just be on top of it all proactively.
