Forum Discussion
A potentially malicious URL click was detected
Several times a week (10 times today) I get alerts from email address removed for privacy reasons
saying that someone has clicked a potentially malicious URL.
Any time I have investigated it has never been true. Sometimes the user has deleted it. Sometimes they haven't seen it until I call them, so they have not clicked on anything. Sometimes the person is out of the office and hasn't opened email. Other times our third-party anti-virus has deleted them from the user's mailbox before they see them.
The alerts take 20 minutes or half hour to investigate and are never true so I just ignore them now.
Is there some better way to handle these or to only get alerts that are real?
- Ajaj_ShaikhMicrosoftHi John, we log all the URL clicks but the URL click alerts are raised only if the user has clicked on the URLs identified as malicious by Microsoft Defender for Office 365. If you believe any alert is a false alarm, please create a ticket through our customer support channels. Our teams will investigate and get back to you with the details.
For more details on these policies, you can refer to this documentation:
https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide#threat-management-alert-policies- John TwohigIron Contributor
Support said
"
when the Safe link polices are enabled, the click isn't actually a click on a link by a user. With the safe links polices enabled, the malicious URLs received in emails are re-written then scanned for the malicious content.
To elaborate it further, if you have an anti-virus installed on the computer that checks the URLs to see if they are malicious, then that anti-virus would "click" the url to test it, which would trigger as a click.
So it's fully possible that the users themselves didn't click the URLs, but something did."
They think that Trend Micro Apex One is checking the mailboxes for malware and triggering the alerts. We are opening a support ticket with Trend to see if others are encountering this.
- Anfo14Copper ContributorThis is the I've come to explaining this phenomena. Safe Link policy OFF, user likely clicked URL. Safe Link policy ON, Safe Link is the culprit. Now a source would be handy or Microsoft's acknowledgement!
I thought Microsoft feedback was true, I did encounter a similar issue since my security tools trying to open the safe link for protection