Microsoft Defender Email Investigation

New Contributor

Hello,

 

I have been doing an investigation into some emails being blocked by our Threat Investigation AIR, and from what I can gather, the issue is this:

 

When a customer has an email signature containing Tel:0000000, Defender believes this is a phishing URL, but when examining this, it's not. It's just a handler to open the telephone number. 

 

Q: why does it do this - Shouldn't defender know it's just a Handler with a legit URL?

Q: Why does it get converted into a Bing link ?

Q: Can I white list just the first part of the URL - https://www.bing.com/ck/a? 

 

Regards,

Callum

 

 

0 Replies