Exchange ATP SafeLinks - Blocking sites not in the block list

%3CLINGO-SUB%20id%3D%22lingo-sub-167743%22%20slang%3D%22en-US%22%3EExchange%20ATP%20SafeLinks%20-%20Blocking%20sites%20not%20in%20the%20block%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167743%22%20slang%3D%22en-US%22%3E%3CP%3EWe%26nbsp%3Bhave%20an%20issue%20where%20ATP%20is%20blocking%20emailed%20links%20and%20giving%20the%20%22%3CSPAN%3EThis%20website%20has%20been%20classified%20as%20malicious.%3C%2FSPAN%3E%22%20message%2C%20but%20the%20site%20is%20not%20on%20the%20block%20list%2C%20and%20we%20are%20not%20scanning%20downloads.%3C%2FP%3E%0A%3CP%3EHow%20can%20we%20(a)%20find%20out%20why%20it%20is%20doing%20this%20and%20(b)%20stop%20it%20doing%20it%20if%20the%20site%20is%20not%20malicious%3F%3C%2FP%3E%0A%3CP%3EI'm%20pretty%20sure%20the%20ATP%20blocked%20links%20are%20clean%20-%20respected%20website%2C%20not%20blacklisted%20anywhere%20ever%2C%20scans%20with%20all%20the%20usual%20tools%20show%20up%20nothing%2C%20our%20main%20web%20content%20filter%20says%20the%20links%20are%20all%20OK%20(and%20that%20is%20usually%20pretty%20paranoid).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167835%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20ATP%20SafeLinks%20-%20Blocking%20sites%20not%20in%20the%20block%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167835%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20take%20into%20account%20that%20blocked%20URLs%20in%20the%20Default%20policy%2C%20are%20not%20the%20same%20as%20%22Potentially%20malicious%26nbsp%3BURLs%22%20option%20that%20appears%20in%20custom%20policies%20(a%20different%20list%20of%20policies%2C%20at%20the%20bottom%20of%20the%20page).%20The%20latter%20uses%20URL%20Detonation%2C%20threat%20intelligence%20Technology%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.office.com%2Fen-us%2F2017%2F01%2F25%2Fevolving-office-365-advanced-threat-protection-with-url-detonation-and-dynamic-delivery%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.office.com%2Fen-us%2F2017%2F01%2F25%2Fevolving-office-365-advanced-threat-protection-with-url-detonation-and-dynamic-delivery%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EIn%20custom%20policies%2C%20you%20can%20block%20%22Potentially%20malicious%26nbsp%3BURLs%22%26nbsp%3Band%20then%20whitelist%20the%20URLs%20that%20you%20want.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167805%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20ATP%20SafeLinks%20-%20Blocking%20sites%20not%20in%20the%20block%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167805%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20do%20indeed%20check%20against%20the%20list%20of%20potentially%20malicious%26nbsp%3BURLs%2C%20and%20prevent%20clickthough%2C%20but%20the%20URLs%20being%20blocked%20are%20not%20in%20that%20list%20(even%20when%20I%20parse%20the%20wildcards%20to%20ensure%20it%20isn't%20matching%20a%20poorly%20written%20entry%20by%20accident).%20I%20can't%20figure%20out%20why%20they%20are%20being%20blocked.%20Most%20are%20fine%2C%20just%20this%20one%20set%2C%20all%20connected%20to%20a%20specific%20organisation%20(who%20publish%20transportation%20industry%20newsletters).%3C%2FP%3E%0A%3CP%3EOdd!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167774%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20ATP%20SafeLinks%20-%20Blocking%20sites%20not%20in%20the%20block%20list%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167774%22%20slang%3D%22en-US%22%3E%3CP%3ECheck%20safe%20links%20policies%20in%20Exchange%20online%20admin%20center.%20You%20may%20have%20modified%20the%20default%20policy%2C%20or%20created%20a%20new%20custom%20policy%2C%20maybe%20blocking%20%22%3CSTRONG%3E%3CFONT%20face%3D%22Segoe%20UI%20Bold%22%3Epotentially%20malicious%20URLs%3C%2FFONT%3E%3C%2FSTRONG%3E%22%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Fadvanced-threat-protection-for-your-office-365-dev-test-environment%23phase-3-configure-safe-attachment-and-safe-links-policies-for-atp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Fadvanced-threat-protection-for-your-office-365-dev-test-environment%23phase-3-configure-safe-attachment-and-safe-links-policies-for-atp%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We have an issue where ATP is blocking emailed links and giving the "This website has been classified as malicious." message, but the site is not on the block list, and we are not scanning downloads.

How can we (a) find out why it is doing this and (b) stop it doing it if the site is not malicious?

I'm pretty sure the ATP blocked links are clean - respected website, not blacklisted anywhere ever, scans with all the usual tools show up nothing, our main web content filter says the links are all OK (and that is usually pretty paranoid).

3 Replies

Check safe links policies in Exchange online admin center. You may have modified the default policy, or created a new custom policy, maybe blocking "potentially malicious URLs"

https://docs.microsoft.com/en-us/office365/enterprise/advanced-threat-protection-for-your-office-365...

We do indeed check against the list of potentially malicious URLs, and prevent clickthough, but the URLs being blocked are not in that list (even when I parse the wildcards to ensure it isn't matching a poorly written entry by accident). I can't figure out why they are being blocked. Most are fine, just this one set, all connected to a specific organisation (who publish transportation industry newsletters).

Odd!

Please take into account that blocked URLs in the Default policy, are not the same as "Potentially malicious URLs" option that appears in custom policies (a different list of policies, at the bottom of the page). The latter uses URL Detonation, threat intelligence Technology:

https://blogs.office.com/en-us/2017/01/25/evolving-office-365-advanced-threat-protection-with-url-de...

In custom policies, you can block "Potentially malicious URLs" and then whitelist the URLs that you want.