Defender SmartScreen claiming internal SharePoint/OneDrive site was reported as unsafe

Iron Contributor

Hello,

 

We've had a couple of users experience SmartScreen blocking O365 file sharing links (SharePoint/OneDrive) sent to and from users on our own domain. Here is what they receive:

AndrewSAIF_0-1615835621217.png

 

The link is just an xlsx file that is parked on a user's OneDrive. I've inspected the file, and it does not contain any active content that could be construed as malicious. Furthermore, the user created a second link to the same document, which is not blocked by SmartScreen. 

 

The users themselves claim that they did not report the link as malicious (of course, users never lie, right?). Based on what I am reading, though, SmartScreen will display this message whether a person reported it or Microsoft's algorithms have flagged it:
Microsoft Edge support for Microsoft Defender SmartScreen | Microsoft Docs

I realize I can AllowList our SharePoint domain for SmartScreen, but I don't really want to give up the protection entirely. 

We've had Edge deployed companywide since last August, and have had no such reports until now. We have around 1100 active users and many of them use the O365/OneDrive/SharePoint ecosystem with great frequency. 

 

There are a few things I don't like about this:

 

  • The ambiguity of the message (this site has been reported) makes it unclear whether this is user error or a false positive on Microsoft's part. If I could be certain that a human being reported the site, I'd know for a fact that it was one of the people with rights to the file, and could easily find and educate that person. If I can't, it doesn't exactly inspire confidence in the detection algorithm for the affected users.
  • Regardless of whether it is a false positive or an erroneous report, there does not appear to be an easy way to cancel the warning on our end. There is a 'this site is not malicious' feature that allows us to fill out a form, but submitting it doesn't immediately cancel the warning. This makes sense for a random false-positive site out on the wild, wooly Internet, but only our users have access to our SharePoint. If someone uploaded something malicious, we'd have several other problems to address. 
  • Users can still access the same file through the 'Shared' tab in OneDrive. They only get blocked trying to open the link from their Outlook. Makes the protection seem arbitrary. 

Has anyone else run into this behavior in your organization? I would be interested to know if there are other options for dealing with this besides having folks re-share everything or sending a report to MS and hoping it gets approved on their side. 

Andrew

8 Replies
Had the exact same issue above user or contributor has reported it and no matter how many false reports to Microsoft it doesn't get unblocked.
Whitelisting internally is an option but not when collaborating externally to clientele.

Did you get a resolution to this?
SmartScreen filter won't just block a website based on report, it has method to investigate and when report is accurate, then block it. It will also do it in automatic way.
When you see this report, in case you are the owner of the domain, you could report it as website owner and ask to remove it from the list. Users also could report it as safe and Microsoft SmartScreen filter team shall review and when they detect it as safe, then they will remove the flag for unsafe.

@Reza_Ameri 

Been reporting everyday for 4 months  with no resolution.

@Synergy1001 

Check with the host and may be there is malware in the host and ask them to investigate for security issue. May be it contains some malicious contents.

Hi,
We have exact same issue in our environment, our own sharepoint link has been identified as Malicious by Office365 defender, raised an Microsoft case on the same, once i have an update from them, would update here. thanks
Thank you for letting us know and glad you share the issue with the Microsoft.
Ended up getting mine resolved with persistance with lodging support tickets with microsoft through the admin centre. Case was esculated and our site URL's were whitelisted.
Hi,
it was Microsoft's known issue, but there was no service health advisory raised on the same when i had reported, they had given a choice to whitelist our own URL's(sharepoint) but that is what our client can agree upon. Microsoft can fixed the issue now i believe.
but we have to look into the sharepoint URL of user which was remediated by Office365 defender automation and enable it if blocked (Already reported the URL as clean to MS)