SOLVED
Home

Teams Messages showing up as Malware

%3CLINGO-SUB%20id%3D%22lingo-sub-832152%22%20slang%3D%22en-US%22%3ETeams%20Messages%20showing%20up%20as%20Malware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832152%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20the%20last%20few%20days%20every%20single%20email%20my%20users%20have%20gotten%20that%20says%20%22So-and-so%20sent%20you%20a%20Teams%20Message%22%20(sent%20from%26nbsp%3B%3CSPAN%3E%3CSTRONG%3Enoreply%40email.teams.microsoft.com%3C%2FSTRONG%3E)%20has%20gotten%20flagged%20as%20%22%3CFONT%3EEmail%20messages%20containing%20malware%20removed%20after%20delivery%22%20by%20O365%20Security%20%26amp%3B%20Compliance.%20This%20has%20resulted%20in%20over%201%2C000%20informational%20alerts%20in%20my%20console%20(%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2Fviewalerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2Fviewalerts%3C%2FA%3E)%3C%2FFONT%3E.%20Is%20anyone%20else%20plagued%20by%20this%3F%20I'm%20opening%20a%20support%20ticket%20tonight.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3E%3CSTRONG%3ESeverity%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22col-md-9%20ng-binding%22%3EInformational%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3E%3CSTRONG%3EThreat%20type%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22col-md-9%20ng-binding%22%3EMalware%20and%20Malicious%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3E%3CSTRONG%3EDetails%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22col-md-9%22%3E%3CDIV%20class%3D%22ng-isolate-scope%22%3E%3CDIV%20class%3D%22pip%20dark%22%3EEmails%20with%20malware%20that%20were%20delivered%20and%20later%20removed%20-V1.0.0.3%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22alertEntityList%22%3E%3CDIV%20class%3D%22ng-binding%22%3EBy%20the%20time%20this%20alert%20was%20triggered%2C%20the%20following%201%20user%20received%20Malware%20and%20Malicious%20mail%20matching%20the%20conditions%20of%20your%20alert%20policy%3A%20user%40contoso.com%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-832152%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832433%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Messages%20showing%20up%20as%20Malware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832433%22%20slang%3D%22en-US%22%3E%3CP%3EWas%20a%20regression%20introduced%20in%20a%20recent%20rule%20update%2C%20they%20have%20since%20resolved%20it.%20Details%20are%20in%26nbsp%3B%3CSPAN%20class%3D%22css-729%22%20title%3D%22EX189242%22%20data-is-focusable%3D%22true%22%3EEX189242%3C%2FSPAN%3Eon%20your%20SHD.%20If%20you%20are%20still%20seeing%20messages%20being%20ZAPed%2C%20make%20sure%20to%20open%20a%20support%20case%20and%20report%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832886%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Messages%20showing%20up%20as%20Malware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832886%22%20slang%3D%22en-US%22%3EFrom%20what%20you%20explained%20it%20could%20be%20false%20positive%20and%20I%20suggest%20check%20this%20with%20support%20team.%20Also%20check%20and%20see%20if%20there%20was%20any%20malicious%20files%20associated%20with%20your%20posts%3F%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

For the last few days every single email my users have gotten that says "So-and-so sent you a Teams Message" (sent from noreply@email.teams.microsoft.com) has gotten flagged as "Email messages containing malware removed after delivery" by O365 Security & Compliance. This has resulted in over 1,000 informational alerts in my console (https://protection.office.com/viewalerts). Is anyone else plagued by this? I'm opening a support ticket tonight.

 

Severity
Informational
Threat type
Malware and Malicious
Details
Emails with malware that were delivered and later removed -V1.0.0.3
By the time this alert was triggered, the following 1 user received Malware and Malicious mail matching the conditions of your alert policy: user@contoso.com
2 Replies
Solution

Was a regression introduced in a recent rule update, they have since resolved it. Details are in EX189242 on your SHD. If you are still seeing messages being ZAPed, make sure to open a support case and report it.

From what you explained it could be false positive and I suggest check this with support team. Also check and see if there was any malicious files associated with your posts?
Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
PacketMon Components are not loading in WAC 1909
HotCakeX in Windows Admin Center on
2 Replies