Jan 27 2018 01:14 AM
Can I get some guidance/advice on a security matter with Office 365 Safe Links?
A reseller I’m working with has a client that received the following email:
--- Start ---
From: Andrew Wilkinson [mailto:andrew.wilkinson@...]
Sent: Wednesday, 24 January 2018 1:14 PM
Subject: Just shared a file with you
Importance: High
Andrew used Docusign to share some document files. Kindly press "review document" to access the file.
REVIEW DOCUMENT (<- was a hyperlink that I have removed)
Let me know if you have any questions.
Andrew
—————————
Andrew Wilkinson|Project Manager
--- End ---
Clicking on the link took you to web site that looked very official (including own https: cert) and showed you 3 buttons.
If you then selected the Office 365 button you ended up on what appears to be an Office 365 login page. There you would put in your credentials and they would be stolen. A average user would know no better and happily surrender their credentials.
So, typical phising scam site, which is now unavailable and most likley taken down. The actual URL was:
https:<whack><whack>clasiqo-viewerdoc.com/*&%5e%25$%23@*&%5e%25$%23@*&%5e%25$%23@*&%5e%25$%23@*&%5e%25$%23@*&%5e%25$%23@/office.php
Now the customer has Office 365 Advanced Threat Protection in place with safe links configured. The idea with safe links is that the end users is warned when they go to a dodgy web site. Clearly, the one above fits that criteria yet safe links didn’t pick anything up. So, to the client’s mind Office 365 ATP safe links is not performing the role it should in protecting them.
I however fully appreciate that safe links is a reputation based system that requires reference to some sort of database of link reputation. If they link is unknown then safe links is not going to work. I in fact tested this link on a few security sites and it was unknown:
So I get that safe links can only deal with what it knows.
My issue is getting in touch with someone at MS to let them know that this site slipped through safe links and they should in fact add it to their database. Secondly, I would again like to share this information with the appropriate people inside MS so they can take action to improve the safe links service. Finally, I would like to understand what action could be taken with Office 365 in the future to migitate this as much as possible.
Jan 27 2018 09:50 AM
Support case and escalation should be the correct way to handle this. You can also submit phishing messages via the Outlook/OWA add-in, but that doesn't usually result in hearing back from anyone at MS.
I don't think there is a separate method to report on safe link false negatives, but I can spam few contacts...
Jan 27 2018 09:56 AM
SolutionJan 27 2018 12:52 PM
Thanks @VasilMichev but the issue isn't technically malware, it is more phishing. The problem is that 'reporting' is done via Outlook Junk mail in OWA which is not what 'average' users work with, they are normally on Outlook on the desktop.
You have provided some options in that link that allow possible submission for analysis and agree that escalation via a support call is the best option. However, that doesn't protect the client at the point of incoming which is the concern here.
I appreciate in safe links are reputation based and if they aren't as yet reported they don't appear in the reputation database. For some reason this reseller is claiming that their clients are getting lost that don't get detected by ATP safe links.
Unfortunately, there probably isn't an easy answer here and I'll go back to them with what you've provided. Thanks.
Jan 28 2018 10:04 AM
The add-in is also available for Outlook, and is a good idea to deploy it to users. I've also reached out to the Exchange folks to see if there is a better method to report such issues, but I cannot promise anything on that front.
Jan 27 2018 09:56 AM
Solution