ATP False Positives

Question

We have alerts set up to detect outbound malware and recently we are receiving a lot of alerts regarding attachments being marked by MS as a threat.

The attachments are ATT files and all of the emails marked have the following hash file

961E95EB029767015671BA8562467FCE6C27899CF58C153CFEC1403B10B817B0

On checking this out on places like virustotal it is deemed clean.

I've opened a support case to Microsoft and they have told me that they must be malicious or else ATP wouldn't flag this.

I'm pretty sure this is a false positive but no idea how to proceed as support tell me there is no way to submit these as false positives.

I know there was a recent incident regarding incorrectly quarantined messages (
EX182195 - Remnant quarantined messages)

I'm wondering if this is fallout from this incident still hanging around.

Any advice

Thanks

scott preston · Answer

JSlora&nbsp;After spending around 26 days trying to have this resolved and several escalations I was just told that the issue had been resolved and no explanation was given despite asking several times. I was told to re-open the ticket if it happened again. I can't say I have noticed any ZAP's&nbsp; relating to this same hash recently but I will keep my eye out.&nbsp;&nbsp;

vasilmichev · Answer

Apart from reporting the messages to Microsoft, there's hardly anything you can do.&nbsp;

scott preston · Answer

VasilMichev&nbsp;Thanks for the prompt reply.&nbsp;Reported it to Microsoft and as mentioned they said it must be malware. I've taken the file from one email and it checks out clean on many engines.&nbsp;&nbsp;Microsoft provided me a link to a submission site for Windows Defender and this has come back clean also and they have said that it has been previously removed as a threat from their database.&nbsp;Not sure if ATP or online services use the same engine for this type of threat but now Microsoft are telling me to wait 24 hours and check the behaviour. Not filling me with confidence I'm afraid.

ezra pound · Answer

Scott Preston&nbsp;Did you ever get any where with this? We are experiencing the exact same issue/same hash and its getting flagged about 60+ times a day across various users/mailboxes.

scott preston · Answer

Ezra Pound&nbsp;We are still experiencing this.&nbsp;We are on our 23rd day of support calls with Microsoft regarding this. Initially support suggested it is actually infected files, which we had checked out a few samples.&nbsp;I've had to explain to Microsoft how the ATT00002.HTM files are generated and have replicated the issues several times.&nbsp;It appears to happen when emails are sent to users which contain attachments and inline images such as an Email signature in Outlook. All the files being flagged are attached when someone forwards the emails from and apple client.&nbsp;Microsoft Support have recently indicated that it is only our tenant this is happening with but clearly not the case.&nbsp;&nbsp;A lot of the time with Microsoft support has been wasted explaining how the flagged files are actually being generated rather than actually determining why the files are being flagged as Malware in our alerts.&nbsp;I suggest you open a support case with Microsoft.&nbsp;&nbsp;&nbsp;

Forum Discussion

ATP False Positives

7 Replies