SOLVED

Teams Messages showing up as Malware

%3CLINGO-SUB%20id%3D%22lingo-sub-832152%22%20slang%3D%22en-US%22%3ETeams%20Messages%20showing%20up%20as%20Malware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832152%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20the%20last%20few%20days%20every%20single%20email%20my%20users%20have%20gotten%20that%20says%20%22So-and-so%20sent%20you%20a%20Teams%20Message%22%20(sent%20from%26nbsp%3B%3CSPAN%3E%3CSTRONG%3Enoreply%40email.teams.microsoft.com%3C%2FSTRONG%3E)%20has%20gotten%20flagged%20as%20%22%3CFONT%3EEmail%20messages%20containing%20malware%20removed%20after%20delivery%22%20by%20O365%20Security%20%26amp%3B%20Compliance.%20This%20has%20resulted%20in%20over%201%2C000%20informational%20alerts%20in%20my%20console%20(%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2Fviewalerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2Fviewalerts%3C%2FA%3E)%3C%2FFONT%3E.%20Is%20anyone%20else%20plagued%20by%20this%3F%20I'm%20opening%20a%20support%20ticket%20tonight.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3E%3CSTRONG%3ESeverity%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22col-md-9%20ng-binding%22%3EInformational%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3E%3CSTRONG%3EThreat%20type%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22col-md-9%20ng-binding%22%3EMalware%20and%20Malicious%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22row%22%3E%3CDIV%20class%3D%22col-md-3%20form-control-title%22%3E%3CSTRONG%3EDetails%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22col-md-9%22%3E%3CDIV%20class%3D%22ng-isolate-scope%22%3E%3CDIV%20class%3D%22pip%20dark%22%3EEmails%20with%20malware%20that%20were%20delivered%20and%20later%20removed%20-V1.0.0.3%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22alertEntityList%22%3E%3CDIV%20class%3D%22ng-binding%22%3EBy%20the%20time%20this%20alert%20was%20triggered%2C%20the%20following%201%20user%20received%20Malware%20and%20Malicious%20mail%20matching%20the%20conditions%20of%20your%20alert%20policy%3A%20user%40contoso.com%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-832152%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832433%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Messages%20showing%20up%20as%20Malware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832433%22%20slang%3D%22en-US%22%3E%3CP%3EWas%20a%20regression%20introduced%20in%20a%20recent%20rule%20update%2C%20they%20have%20since%20resolved%20it.%20Details%20are%20in%26nbsp%3B%3CSPAN%20class%3D%22css-729%22%20title%3D%22EX189242%22%20data-is-focusable%3D%22true%22%3EEX189242%3C%2FSPAN%3Eon%20your%20SHD.%20If%20you%20are%20still%20seeing%20messages%20being%20ZAPed%2C%20make%20sure%20to%20open%20a%20support%20case%20and%20report%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832886%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Messages%20showing%20up%20as%20Malware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832886%22%20slang%3D%22en-US%22%3EFrom%20what%20you%20explained%20it%20could%20be%20false%20positive%20and%20I%20suggest%20check%20this%20with%20support%20team.%20Also%20check%20and%20see%20if%20there%20was%20any%20malicious%20files%20associated%20with%20your%20posts%3F%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

For the last few days every single email my users have gotten that says "So-and-so sent you a Teams Message" (sent from noreply@email.teams.microsoft.com) has gotten flagged as "Email messages containing malware removed after delivery" by O365 Security & Compliance. This has resulted in over 1,000 informational alerts in my console (https://protection.office.com/viewalerts). Is anyone else plagued by this? I'm opening a support ticket tonight.

 

Severity
Informational
Threat type
Malware and Malicious
Details
Emails with malware that were delivered and later removed -V1.0.0.3
By the time this alert was triggered, the following 1 user received Malware and Malicious mail matching the conditions of your alert policy: user@contoso.com
2 Replies
Highlighted
Solution

Was a regression introduced in a recent rule update, they have since resolved it. Details are in EX189242 on your SHD. If you are still seeing messages being ZAPed, make sure to open a support case and report it.

Highlighted
From what you explained it could be false positive and I suggest check this with support team. Also check and see if there was any malicious files associated with your posts?