ATP Safe Links - Legitimate OneDrive for Business links and Deep Links

%3CLINGO-SUB%20id%3D%22lingo-sub-2234895%22%20slang%3D%22en-US%22%3EATP%20Safe%20Links%20-%20Legitimate%20OneDrive%20for%20Business%20links%20and%20Deep%20Links%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2234895%22%20slang%3D%22en-US%22%3E%3CP%3EATP%20Safe%20Links%20is%20blocking%20legitimate%20OneDrive%20for%20Business%20links%20shared%20by%20our%20users%20internally.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20recently%20had%20a%20compromised%20user%20which%20was%20blocked%20by%20the%20anti-spam%20rules%20as%20expected.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20malicious%20actor(s)%20planted%20a%20PDF%20document%20(%3CEM%3Enamed%20%22microsoft.pdf%22%3C%2FEM%3E)%20in%20the%20user's%20OneDrive%20with%20an%20embedded%20link%20to%20a%20malicious%20site.%20A%20link%20to%20that%20document%20was%20then%20shared%20with%20several%20users.%20Anti-spam%20policy%20filter%20saw%20the%20number%20of%20mails%20and%20blocked%20the%20user.%20The%20users%20who%20received%20the%20link%20thought%20it%20was%20a%20legitimate%20link%20shared%20by%20the%20internal%20user%20and%20clicked%20the%20link.%20However%2C%20the%20link%20was%20blocked%20in%20the%20browser%20by%20the%20ATP%20Safe%20Links.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20far%20so%20good.%20ATP%20Safe%20Links%20IMHO%20identified%20the%20deep%20linked%20document%20as%20malicious%20and%20blocked%20the%20users%20browsing%20to%20the%20OneDrive%20link.%20Amazing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHowever%3C%2FSTRONG%3E%2C%20pretty%20soon%2C%20now%20all%20sharing%20links%20are%20getting%20blocked%20by%20the%20ATP%20Safe%20Links.%20Somehow%2C%20it%20seems%2C%20ATP%20Safe%20Links%20has%20recorded%20the%20OneDrive%20URL%20as%20malicious%20and%20is%20now%20blocking%20all%20legitimate%20internal%20sharing%20links.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInterestingly%2C%20copy-pasting%20the%20raw%20unwrapped%20link%20in%20the%20browser%20works.%20Only%20the%20wrapped%20links%20are%20getting%20blocked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anybody%20else%20experienced%20this%3F%20I've%20opened%20a%20ticket%20with%20support%20and%20am%20waiting%20for%20them%20to%20check%20it%20out.%20Meanwhile%2C%20I%20thought%20maybe%20someone%20who%20has%20experienced%20something%20similar%20may%20help%20with%20more%20information%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20is%20a%20screenshot%20of%20the%20document%20which%20was%20planted%20in%20the%20user's%20OneDrive%20with%20the%20name%20%22Microsoft.pdf%22.%20The%20%22Access%20Document%22%20button%20is%20the%20link%20to%20an%20actual%20external%20malicious%20site%20(which%20is%20blocked%20by%20browser's%20native%20functionality%20anyway).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22malicious-odfb-doc.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F266971iD830A6E2DF6BDAA3%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22malicious-odfb-doc.png%22%20alt%3D%22Malicious%20document%20planted%20in%20user's%20OneDrive.%20The%20%26quot%3BAccess%20Document%26quot%3B%20button%20is%20a%20link%20pointing%20to%20an%20external%20malicious%20site.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EMalicious%20document%20planted%20in%20user's%20OneDrive.%20The%20%22Access%20Document%22%20button%20is%20a%20link%20pointing%20to%20an%20external%20malicious%20site.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2234895%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2248188%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Safe%20Links%20-%20Legitimate%20OneDrive%20for%20Business%20links%20and%20Deep%20Links%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2248188%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3377%22%20target%3D%22_blank%22%3E%40Abhimanyu%20Singh%3C%2FA%3E%26nbsp%3Bthanks%20for%20reporting%20the%20issue.%20We%20have%20not%20seen%20specific%20instance%20of%20this%20issue%20but%20thanks%20for%20filing%20the%20support%20ticket%20and%20we%20will%20get%20it%20investigated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EAbhishek%20Agrawal%20%5BMSFT%5D%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

ATP Safe Links is blocking legitimate OneDrive for Business links shared by our users internally.

 

We recently had a compromised user which was blocked by the anti-spam rules as expected. 

 

The malicious actor(s) planted a PDF document (named "microsoft.pdf") in the user's OneDrive with an embedded link to a malicious site. A link to that document was then shared with several users. Anti-spam policy filter saw the number of mails and blocked the user. The users who received the link thought it was a legitimate link shared by the internal user and clicked the link. However, the link was blocked in the browser by the ATP Safe Links. 

 

So far so good. ATP Safe Links IMHO identified the deep linked document as malicious and blocked the users browsing to the OneDrive link. Amazing.

 

However, pretty soon, now all sharing links are getting blocked by the ATP Safe Links. Somehow, it seems, ATP Safe Links has recorded the OneDrive URL as malicious and is now blocking all legitimate internal sharing links. 

 

Interestingly, copy-pasting the raw unwrapped link in the browser works. Only the wrapped links are getting blocked.

 

Has anybody else experienced this? I've opened a ticket with support and am waiting for them to check it out. Meanwhile, I thought maybe someone who has experienced something similar may help with more information here.

 

Below is a screenshot of the document which was planted in the user's OneDrive with the name "Microsoft.pdf". The "Access Document" button is the link to an actual external malicious site (which is blocked by browser's native functionality anyway).

 

Malicious document planted in user's OneDrive. The "Access Document" button is a link pointing to an external malicious site.Malicious document planted in user's OneDrive. The "Access Document" button is a link pointing to an external malicious site.

 

 

 

 

3 Replies

@Abhimanyu Singh thanks for reporting the issue. We have not seen specific instance of this issue but thanks for filing the support ticket and we will get it investigated.

 

Thanks,

Abhishek Agrawal [MSFT]

@Abhishek Agrawal (CDM) thank you.

 

The support ticket got closed and the issue was resolved by the back-end team. We had to temporarily whitelist the root URL with wildcards to disable ATP link wrapping to at least get the work going. Once resolved, we removed the whitelist. We also did a submission on root URL in the threat center, but that was marked as "completed" and we don't know what happened behind the submission nor whether that was even worthwhile! The entire process took 3-4 days.

 

However, it still is a mystery to me as to how in the first place ATP can block the root URL of OneDrive (https://org-my.sharepoint.com) instead of blocking the entire actual URL? 

Was there a risk by whitelisting yourselves that Defender might not block the maliciously embedded site in OneDrive? I agree with you - Defender did a great job protecting you from an internal threat - and then over-compensated by blocking internal legit sharing.