Jun 18 2019 05:37 AM
We have alerts set up to detect outbound malware and recently we are receiving a lot of alerts regarding attachments being marked by MS as a threat.
The attachments are ATT files and all of the emails marked have the following hash file
961E95EB029767015671BA8562467FCE6C27899CF58C153CFEC1403B10B817B0
On checking this out on places like virustotal it is deemed clean.
I've opened a support case to Microsoft and they have told me that they must be malicious or else ATP wouldn't flag this.
I'm pretty sure this is a false positive but no idea how to proceed as support tell me there is no way to submit these as false positives.
I know there was a recent incident regarding incorrectly quarantined messages (
EX182195 - Remnant quarantined messages)
I'm wondering if this is fallout from this incident still hanging around.
Any advice
Thanks
Jun 18 2019 11:31 AM
Apart from reporting the messages to Microsoft, there's hardly anything you can do.
Jun 19 2019 06:42 AM
@Vasil Michev Thanks for the prompt reply.
Reported it to Microsoft and as mentioned they said it must be malware. I've taken the file from one email and it checks out clean on many engines.
Microsoft provided me a link to a submission site for Windows Defender and this has come back clean also and they have said that it has been previously removed as a threat from their database.
Not sure if ATP or online services use the same engine for this type of threat but now Microsoft are telling me to wait 24 hours and check the behaviour. Not filling me with confidence I'm afraid.
Jul 11 2019 06:30 AM
@Scott Preston Did you ever get any where with this? We are experiencing the exact same issue/same hash and its getting flagged about 60+ times a day across various users/mailboxes.
Jul 11 2019 07:12 AM
@Ezra Pound We are still experiencing this.
We are on our 23rd day of support calls with Microsoft regarding this. Initially support suggested it is actually infected files, which we had checked out a few samples.
I've had to explain to Microsoft how the ATT00002.HTM files are generated and have replicated the issues several times.
It appears to happen when emails are sent to users which contain attachments and inline images such as an Email signature in Outlook. All the files being flagged are attached when someone forwards the emails from and apple client.
Microsoft Support have recently indicated that it is only our tenant this is happening with but clearly not the case.
A lot of the time with Microsoft support has been wasted explaining how the flagged files are actually being generated rather than actually determining why the files are being flagged as Malware in our alerts.
I suggest you open a support case with Microsoft.
Feb 05 2021 05:11 AM
Incredibly, years later, this same hash has started popping up frequently and is triggering ZAP and alerts. Did anyone ever get any explanation or satisfaction on this?
Feb 05 2021 05:27 AM
@James Slora After spending around 26 days trying to have this resolved and several escalations I was just told that the issue had been resolved and no explanation was given despite asking several times. I was told to re-open the ticket if it happened again. I can't say I have noticed any ZAP's relating to this same hash recently but I will keep my eye out.
Feb 05 2021 08:33 AM
+1 here.
Same ordeal here. Multiple detections and warnings.
Could this please be looked into?
Thank You