A potentially malicious URL click was detected

Iron Contributor

Several times a week (10 times today) I get alerts from email address removed for privacy reasons 
saying that someone has clicked a potentially malicious URL.

 

Any time I have investigated it has never been true. Sometimes the user has deleted it. Sometimes they haven't seen it until I call them, so they have not clicked on anything. Sometimes the person is out of the office and hasn't opened email. Other times our third-party anti-virus has deleted them from the user's mailbox before they see them.

 

The alerts take 20 minutes or half hour to investigate and are never true so I just ignore them now.

 

Is there some better way to handle these or to only get alerts that are real?

3 Replies
Hi John, we log all the URL clicks but the URL click alerts are raised only if the user has clicked on the URLs identified as malicious by Microsoft Defender for Office 365. If you believe any alert is a false alarm, please create a ticket through our customer support channels. Our teams will investigate and get back to you with the details.

For more details on these policies, you can refer to this documentation:
https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide#threat...

@Ajaj_Shaikh 

 

Support said 

"

when the Safe link polices are enabled, the click isn't actually a click on a link by a user. With the safe links polices enabled, the malicious URLs received in emails are re-written then scanned for the malicious content.

 

To elaborate it further, if you have an anti-virus installed on the computer that checks the URLs to see if they are malicious, then that anti-virus would "click" the url to test it, which would trigger as a click.

So it's fully possible that the users themselves didn't click the URLs, but something did."

 

They think that Trend Micro Apex One is checking the mailboxes for malware and triggering the alerts. We are opening a support ticket with Trend to see if others are encountering this.

@Terry_Lazer 

 

Thanks for the suggestion but I don't think there are any settings to fix it.

 

What is happening is that emails with bad links get past ATP so go into users' mailboxes. Trend then checks the mailbox, realizes there is a bad link and removes the email from users' mailboxes. When ATP eventually realizes the link was bad, it thinks that Trend checking and deleting the email means that the user has clicked on the link. So, it sends an alert that the link was clicked when it wasn't.