Forum Discussion

Gunter Danzeisen's avatar
Gunter Danzeisen
Brass Contributor
Oct 05, 2022

Suspicious URL clicked Alert although URL has an Allow Indicator

Hi all,

 

MDE is detecting 3rd party phishing simulation campaign links as suspicious (3rd party phishing simulation is configured in M365D).

Now I added an custom Allow indicator for that URL. However, when the link is click in an email, I still get "Suspicious URL clicked" and "Suspicious URL opened in web browser" alerts for the URL. When I select the URL entry in the alert story, it even shows on the right hand pane that "an indicator rule of "Allow" was created by...." So it looks like the indicator is picked up correctly. 

 

Is it expected that these alerts are still raised, even if an allow indicator is in place?

 

Regards,

Gunter

1 Reply

  • MarcinGorski's avatar
    MarcinGorski
    Copper Contributor
    Apr 17, 2024

    Hello Gunter Danzeisen

    It's been a while since you placed your post. So you may already figure it out. 

    Anyway I think you just need to tune the alert. Allow rule means the users will be able to reach that URL. Some behavioral analysis still flags those as suspicious.

     

    Best
    Marcin

Resources