"This link is malicious" false-positive on messages recieved on outlook.com and O365 managed email

%3CLINGO-SUB%20id%3D%22lingo-sub-3241946%22%20slang%3D%22en-US%22%3E%22This%20link%20is%20malicious%22%20false-positive%20on%20messages%20recieved%20on%20outlook.com%20and%20O365%20managed%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3241946%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EWe%20are%20encountering%20issues%20with%20recipients%20having%20links%20in%20our%20sent%20emails%20as%20being%20marked%20as%20malicious%20by%20Outlook%20Advanced%20Threat%20Protection%20on%20Outlook.com%20addresses%20and%20on%20certain%20recipients%20through%20Office365%20Exchange%20server%2C%20and%20we%20cannot%20understand%20why.%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3EWe%20are%20an%20ESP%20with%20a%20common%20infrastructure%2C%20and%20for%20a%20tiny%20handful%20of%20clients%2C%20emails%20processed%20by%20ATP%20get%20into%20inbox%20(Outlook.com%2FLive%2Fhotmail%20and%20O365%20managed%20mailboxes)%2C%20but%20when%20clicking%20on%20a%20link%2C%20it's%20redirected%20by%20ATP%20to%20a%20warning%20page%20saying%20%22this%20link%20is%20malicious%22.%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3EThe%20links%20are%20redirect%20links%20that%20go%20to%20our%20systems%20before%20redirecting%20on%20to%20the%20client's%20original%20link.%20We%20have%20found%20no%20security%20issues%20on%20the%20client's%20target%20link%2C%20and%20we%20have%20not%20found%20any%20issues%20on%20our%20own%20redirect%20infrastructure%20-%20which%20is%20mostly%20used%20successfully%20for%20most%20of%20our%20clients%2C%20but%20for%20some%20reasons%2C%20Microsoft%20just%20does%20not%20like%20the%20domain%20name%20-%20and%20we%20have%20no%20idea%20why%2C%20and%20we%20are%20incapable%20of%20getting%20any%20explanation%20from%20Microsoft%20on%20this%20issue!%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3EThe%20only%20response%20we%20can%20get%20-%20when%20we%20can%20get%20one%20-%20is%20%22just%20deactivate%20advanced%20threat%20protection%22.%20That's%20not%20going%20to%20fly!%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3EThis%20issue%20has%20been%20going%20on%20for%20months%2C%20and%20we%20have%20reached%20out%20to%20multiple%20MS%20contact%20to%20attempt%20to%20obtain%20help%20and%20an%20explanation%20but%20with%20no%20avail%3A%20some%20background%20into%20our%20frustration%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CUL%3E%3CLI%3E%3CSPAN%3EWe%20have%20contacted%20the%20Microsoft%20Postmaster%20%3D%26gt%3B%20Response%3A%20this%20is%20not%20a%20deliverability%20issue%20but%20ATP%2C%20and%20the%20Postmaster%20cannot%20assist%20as%20your%20mails%20are%20getting%20into%20inbox%20ok.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWe%20have%20contacted%20Outlook%20support%20with%20a%20live%20use%20case%20%3D%26gt%3B%20After%20a%202%20hour%20discussion%2C%20the%20end%20result%20was%20%22Someone%20may%20have%20marked%20your%20mail%20as%20malicious%2C%20we%20don't%20know%20any%20more%20and%20cannot%20help%20you%20further%20other%20than%20deactivating%20ATP%20outright%20for%20your%20organisation%22.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWe%20have%20contacted%20our%20dedicated%20corporate%20support%20at%20microsoft%20who%20tell%20us%20they%20cannot%20help.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWe%20have%20escalated%20this%20through%20our%20sales%20contacts%20at%20Microsoft%20who%20cannot%20help.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWe%20have%20contacted%20dedicated%20malware%20contacts%20at%20Microsoft%20through%20the%20M3AAWG%20organisation.%20No%20response.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EOur%20recipients%20have%20contacted%20MS.%20No%20answer%20other%20than%20%22don't%20use%20Advanced%20Threat%20Protection%22.%20%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWe%20have%20tried%20complaining%20on%20Twitter%20several%20times.%20No%20response.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWe%20have%20written%20a%20couple%20of%20requests%20for%20further%20details%20on%20MS%20support%20forums%2C%20and%20other%20than%20%22deactivate%20ATP%20on%20affected%20accounts%22%2C%20all%20other%20pointers%20have%20taken%20us%20through%20to%20the%20dead%20ends%20above.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EIs%20there%20any%20support%20channel%20open%20for%20this%20at%20Microsoft%3F%20We%20would%20love%20to%20address%20any%20issues%2C%20legitimate%20or%20false-positives%20on%20ATP%20processed%20emails%20going%20to%20Microsoft%20hosted%20recipients%2C%20but%20for%20the%20moment%2C%20we%20have%20tried%20climbing%20through%20every%20support%20hurdle%20available%20to%20us%20and%20fell%20into%20a%20black%20hole%20every%20time%20over%20the%20last%20couple%20of%20months%20and%20don't%20know%20where%20else%20to%20turn%20!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Visitor
We are encountering issues with recipients having links in our sent emails as being marked as malicious by Outlook Advanced Threat Protection on Outlook.com addresses and on certain recipients through Office365 Exchange server, and we cannot understand why.

We are an ESP with a common infrastructure, and for a tiny handful of clients, emails processed by ATP get into inbox (Outlook.com/Live/hotmail and O365 managed mailboxes), but when clicking on a link, it's redirected by ATP to a warning page saying "this link is malicious".

The links are redirect links that go to our systems before redirecting on to the client's original link. We have found no security issues on the client's target link, and we have not found any issues on our own redirect infrastructure - which is mostly used successfully for most of our clients, but for some reasons, Microsoft just does not like the domain name - and we have no idea why, and we are incapable of getting any explanation from Microsoft on this issue!

The only response we can get - when we can get one - is "just deactivate advanced threat protection". That's not going to fly!

This issue has been going on for months, and we have reached out to multiple MS contact to attempt to obtain help and an explanation but with no avail: some background into our frustration:

  • We have contacted the Microsoft Postmaster => Response: this is not a deliverability issue but ATP, and the Postmaster cannot assist as your mails are getting into inbox ok.
  • We have contacted Outlook support with a live use case => After a 2 hour discussion, the end result was "Someone may have marked your mail as malicious, we don't know any more and cannot help you further other than deactivating ATP outright for your organisation".
  • We have contacted our dedicated corporate support at microsoft who tell us they cannot help.
  • We have escalated this through our sales contacts at Microsoft who cannot help.
  • We have contacted dedicated malware contacts at Microsoft through the M3AAWG organisation. No response.
  • Our recipients have contacted MS. No answer other than "don't use Advanced Threat Protection".
  • We have tried complaining on Twitter several times. No response.
  • We have written a couple of requests for further details on MS support forums, and other than "deactivate ATP on affected accounts", all other pointers have taken us through to the dead ends above.

Is there any support channel open for this at Microsoft? We would love to address any issues, legitimate or false-positives on ATP processed emails going to Microsoft hosted recipients, but for the moment, we have tried climbing through every support hurdle available to us and fell into a black hole every time over the last couple of months and don't know where else to turn !

0 Replies