Defender and Smart Screen

Copper Contributor

Recently we have had several "phishing" or "Phishing email domain" alerts in MS 365 Defender (security.microsoft.com) in which the URL visited is either a school ISD webpage (http://www.friscoisd.org)  or a local ISP (http://www.optimum.net:443 ). The issue originally was that the Defender Smart Screen would block any visit to those domains. At least I thought that was the issue as to why the triggers were activated. As they are legitimate sites, the ITIS team recently lifted those block in Smart Screen. However, we are still getting those sites triggered in MS 365 Defender.

1) Was Smart Screen part of the trigger alert?

2) What is setting off the triggers?

3) How do I get so that those alerts triggers are not activated anymore?

Note: I have done a suppression rule prior to the Smart Screen being updated. But I shouldn't need to have that in place anymore if the smart screen no longer blocks the sites. 

2 Replies
I think there are some things you can do that will minimize the likelihood of your sites being flagged by SmartScreen. I see one concerning thing right off the bat in using http but redirecting to port 443 on the Optimum website. That should be changed to a regular SSL site with a valid certificate. I think you are introducing some port confusion by redirecting port 80 (http) to port 443.

Some other things that will assist as per this website.

https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx

There are several things you can do that can help minimize the chance of your site being flagged as suspicious. Think of these as best practices or optimal website design ethics.
If you ask users for personal information, use HTTPS with a valid, unexpired server certificate issued by a trusted certification authority.
Make sure that your webpage doesn't expose any cross-site scripting (XSS) vulnerabilities. Protect your site by using anti-cross-site scripting functions such as those provided by the Microsoft Anti-Cross Site Scripting library.
Use the fully-qualified domain name rather than an IP-literal address. (This means a URL should look like "microsoft.com" and not "207.46.19.30.")
Don't encode or tunnel your URLs unnecessarily. If you don't know what this means, you probably aren't doing it.
If you post external or third-party hosted content, make sure that the content is secure and from a known and trusted source.