Forum Discussion

John Twohig's avatar
John Twohig
Iron Contributor
Dec 14, 2022

A potentially malicious URL click was detected

Several times a week (10 times today) I get alerts from mailto:email address removed for privacy reasons  saying that someone has clicked a potentially malicious URL.   Any time I have investigate...
office 365
security
Ajaj_Shaikh's avatar
Ajaj_Shaikh
Icon for Microsoft rankMicrosoft
Jan 03, 2023
Hi John, we log all the URL clicks but the URL click alerts are raised only if the user has clicked on the URLs identified as malicious by Microsoft Defender for Office 365. If you believe any alert is a false alarm, please create a ticket through our customer support channels. Our teams will investigate and get back to you with the details.

For more details on these policies, you can refer to this documentation:
https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide#threat-management-alert-policies
  • John Twohig's avatar
    John Twohig
    Iron Contributor
    Jan 30, 2023

    Ajaj_Shaikh 

     

    Support said 

    "

    when the Safe link polices are enabled, the click isn't actually a click on a link by a user. With the safe links polices enabled, the malicious URLs received in emails are re-written then scanned for the malicious content.

     

    To elaborate it further, if you have an anti-virus installed on the computer that checks the URLs to see if they are malicious, then that anti-virus would "click" the url to test it, which would trigger as a click.

    So it's fully possible that the users themselves didn't click the URLs, but something did."

     

    They think that Trend Micro Apex One is checking the mailboxes for malware and triggering the alerts. We are opening a support ticket with Trend to see if others are encountering this.

    • Anfo14's avatar
      Anfo14
      Copper Contributor
      Apr 25, 2024
      This is the I've come to explaining this phenomena. Safe Link policy OFF, user likely clicked URL. Safe Link policy ON, Safe Link is the culprit. Now a source would be handy or Microsoft's acknowledgement!
      • Keshawn's avatar
        Keshawn
        Copper Contributor
        Jun 12, 2024
        I would love for Microsoft to acknowledge this too. Something I been wanting conformation on for while now.

Resources