Microsoft Defender Email Investigation

Regular Visitor



I have been doing an investigation into some emails being blocked by our Threat Investigation AIR, and from what I can gather, the issue is this:


When a customer has an email signature containing Tel:0000000, Defender believes this is a phishing URL, but when examining this, it's not. It's just a handler to open the telephone number. 


Q: why does it do this - Shouldn't defender know it's just a Handler with a legit URL?

Q: Why does it get converted into a Bing link ?

Q: Can I white list just the first part of the URL - 






0 Replies