Sent from Outlook for iOS links Being Quarantined in Defender

Question

Hi,&nbsp;Microsoft seem to be falsely flagging their own shortening URL for&nbsp;hxxps://aka.ms/o0ukef as High Confidence Phishing&nbsp;This is the link that is created in emails when a user sends an email from Outlook for iOS&nbsp;&nbsp;This is causing a lot of emails to be blocked and sent to the Quarantine queue.&nbsp;Can someone at MS take a look and get this addressed.

brok3nspear · Answer

its_Tricky83&nbsp;&nbsp;Haven't started to see this yet again in our tenant (UK) but will keep an eye out for it.&nbsp;Thanks for the heads up&nbsp;UrjaGandhi&nbsp;FYI for new events being reported by users&nbsp;&nbsp;

its_tricky83 · Answer

Long story short, looks like our issue might have been caused by an external vendor accidentally adding an incorrect Defender Tenant Block rule.. It's been a painful cleanup!

urjagandhi · Answer

Summary: Recently, Microsoft Defender for Office 365 observed false positives from heuristic-based detections related to URLs targeting fake Microsoft notification emails, e.g. Password expiry notifications. These detections are used to target the ever-changing email threat landscape and adjust to new tactics and techniques by various threat actors. These specific detections have been adjusted and the false positive issue has been mitigated. Furthermore, Microsoft Defender for Office 365 has implemented a long-term solution to handle such aka.ms links in a more robust fashion.

Thanks,
Microsoft Defender for Office 365 Product Group

its_tricky83 · Answer

The issue is occurring again and causing massive impact!
Yesterday, today and ongoing we are suddenly seeing any emails that contain the link https://aka.ms/o0ukef being quarantined as 'High Confidence Phish'.

Forum Discussion

Sent from Outlook for iOS links Being Quarantined in Defender

Share

Resources