Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Microsoft Defender is considering Safe link as malicious

Copper Contributor

Microsoft Defender for Office365 (Safe link) is considering a legitimate URL as malicious and users are not able to open the link. How to ensure the link is whitelisted and doesn't trigger alert as malicious?

3 Replies

@Sivachandran_Palani 

 

Key questions:

  1. the recipients are in your tenancy or in other organisations?
  2. the blocked URL domain belongs to Microsoft or another organisation?
  3. the blocked URL domain or subdomain is exclusively yours, or shared? 

Possible answers:

  1. The recipients are in your tenancy and the URL really is reliable - add it to the Safe Links threat policy "Do not rewrite" list, or add it to the Tenant Allow / Block list URL tab. Don't bother trying this if you have to include the path or parameter; you will run out of space.
  2. The URL domain belongs to Microsoft and is not one of the problematic ones such as Forms, CRM Uservoice or whatever Sway is called this week - raise a call with Product Support if the problem is consistent. 
  3. The URL domain or subdomain is shared - well, that is the same as accepting mail unconditionally from a shared IP address, isn't it?

For all of these answers, you might know that your URLs are perfectly OK but remember that Microsoft is basing its verdicts on all the traffic it sees. I have seen a few cases where the action taken seems utterly inexplicable, but more often I nod and say "yes, I can see how that might be a problem." Do weigh the risk you are taking if you intentionally exempt a domain or subdomain from your defences.  

Thanks for the reply. Yes the URL is internal URL used for security purposes, while it was sent to internal users and they clicked and got the popup as "could be malicious" in defender.

We had already added to "Do not rewrite" list. So can you provide the steps to add it as "Allow" list URL ? It would be really helpful in adding URL as allow list
If by "internal" you mean a domain which could be public but is in fact only resolved correctly on your internal network then that's not going to work for a cloud solution like M365. I don't think M365 has a problem with non-existent top-level domains, but some other security products do and it is increasingly difficult to keep up with the clowns approving nonsense into the global address space. For all other values the previous principle stands; never mind your own organisation's legitimate use, what are other people using that domain for on the internet?

The tenant Allow/Block list can be seen from security.microsoft.com, Email & Collaboration, Policies & Rules, Threat Policies, Tenant Allow/Block Lists, URL tab.

To add a value, go through security.microsoft.com, Actions & Submissions, Submissions and submit your URL to Microsoft with the drop-down set to "URL". You may need to push the case with Product Support, and you can't have a permanent entry; the idea is that you should not need one, something that causes annoyance elsewhere on this forum. If the URL is persistently troublesome then you need to go looking for the reason why.