Forum Discussion

Brass Contributor

Apr 25, 2024

Sent from Outlook for iOS links Being Quarantined in Defender

Hi, Microsoft seem to be falsely flagging their own shortening URL for hxxps://aka.ms/o0ukef as High Confidence Phishing This is the link that is created in emails when a user sends an email ...

microsoft defender for office 365

threat intelligence

UrjaGandhi

Microsoft

May 10, 2024

Summary: Recently, Microsoft Defender for Office 365 observed false positives from heuristic-based detections related to URLs targeting fake Microsoft notification emails, e.g. Password expiry notifications. These detections are used to target the ever-changing email threat landscape and adjust to new tactics and techniques by various threat actors. These specific detections have been adjusted and the false positive issue has been mitigated. Furthermore, Microsoft Defender for Office 365 has implemented a long-term solution to handle such aka.ms links in a more robust fashion.

Thanks,
Microsoft Defender for Office 365 Product Group

its_Tricky83
Copper Contributor
Jun 13, 2024
The issue is occurring again and causing massive impact!
Yesterday, today and ongoing we are suddenly seeing any emails that contain the link https://aka.ms/o0ukef being quarantined as 'High Confidence Phish'.
- Brok3NSpear
  Brass Contributor
  Jun 13, 2024
  its_Tricky83
  
  Haven't started to see this yet again in our tenant (UK) but will keep an eye out for it.
  
  Thanks for the heads up
  
  UrjaGandhi FYI for new events being reported by users
  - its_Tricky83
    Copper Contributor
    Jun 13, 2024
    Long story short, looks like our issue might have been caused by an external vendor accidentally adding an incorrect Defender Tenant Block rule.. It's been a painful cleanup!