I have been doing an investigation into some emails being blocked by our Threat Investigation AIR, and from what I can gather, the issue is this:
When a customer has an email signature containing Tel:0000000, Defender believes this is a phishing URL, but when examining this, it's not. It's just a handler to open the telephone number.
Q: why does it do this - Shouldn't defender know it's just a Handler with a legit URL?
Q: Why does it get converted into a Bing link ?
Q: Can I white list just the first part of the URL - https://www.bing.com/ck/a?