Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Microsoft Defender Email Investigation

Copper Contributor



I have been doing an investigation into some emails being blocked by our Threat Investigation AIR, and from what I can gather, the issue is this:


When a customer has an email signature containing Tel:0000000, Defender believes this is a phishing URL, but when examining this, it's not. It's just a handler to open the telephone number. 


Q: why does it do this - Shouldn't defender know it's just a Handler with a legit URL?

Q: Why does it get converted into a Bing link ?

Q: Can I white list just the first part of the URL - 






0 Replies