Forum Discussion
Defender false positive on SharePoint links
We have an external business partner emailing SharePoint links for sensitive information. M365 Defender is consistently flagging the link as malicious with no clear indication as to why. So we get the following:
- alerts generated in Defender
- emails flagged in email explorer and quarantined
- Defender Smart Screen blocks the safe link/original URL but displays a different URL
I have already added the domain to the Allow list in the IoC.
I have submitted the domain and specific URL to Microsoft for review.
Questions:
- how to edit the Defender Smart Screen blocks?
- is there a quicker way to list a URL or domain as safe so users can load?
1 Reply
An admin submission may work (and is the exam answer) but you should track and see if it actually results in an Allow entry in your tenancy TABL under the URLs tab. If it does not, you have ask Product Support to force the setting for you.
It looks as if Indicators are a Defender for Endpoint thing. Try that group.
