Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender quarantining all emails as High Confident Phishing

Brass Contributor

Hi,

Defender has started to quarantine all emails now as High Confidence Phishing even though the emails are perfectly fine.

Seems like all URLs are being found to be phishing links. However, this is not the case and there are 1000's of email affected by this and now seems to be flagging every email sent to our users.

Seems to have started at around 16:39hrs GMT (UK time) today.

The policy that is the same from all the emails I can see, is the Standard Preset Security Policy (Anti-Phishing policy) located in Email & Collaboration>Policies & rules>Threat policies>Anti-phishing

When looking at the emails, it's URL detonation reputation that states the URLs are malicious.

No changes have been made to this policy for at least 3 months

This is also triggering multiple High alerts in Defender for, 'A potentially malicious URL click was detected'. Again, when checking these emails, they are all benign

Anyone else seeing a large influx of quarantined emails in Defender?

[Edit]

We use Mimecast as our gateway, so all emails sent from outside the org have to go through Mimecast first.

Mimecast doesn't see any issues with them, and looking at the headers for the emails, I see no issues.

Just that Microsoft is flagging every emails that contains links as High Confidence Phishing.

Normally we would expect to see approx 10 or so a day for HCP emails, but never to this extent.

I know that Mimecast is set to do URL Re-Write protection and have always wondered if MS can read through the URL re-writing that Mimecast sets for links, but it has never quarantined them based on the fact that the URL have been re-written by Mimecast.

The only URLs that Microsoft is flagging as High Confidence Phishing are the one that have been re-written by Mimecast. That is the case on all the emails that I have been through now.
Have also raised a Support ticket via the portal for this on ticket #‎2401080050005168 and asked to get this escalated as there is no way to set the priority when raising a ticket initially.

 

[Update]

This is now resolved. The issue was that Mimecast have just changed the URL re-writing format from:

https://protect.mimecast-offshore.com/*****************

To

https://url.jer.m.mimecastprotect.com/*****************

starred out the rest for obvious reasons.

Not sure if this is just a UK thing, but this change only occurred this afternoon for our tenant.

2 Replies

@Brok3NSpear  We are experiencing the exact issue you describe and are using Mimecast in Australia and appears that the URL rewrite has changed. What was your solution for allowing mail flow to resume? Did you submit the new URL to Microsoft as a trusted at the tenant level?