SOLVED

Issues with Office 365 Advanced Threat protection Safe Links

MVP

Can I get some guidance/advice on a security matter with Office 365 Safe Links?

 

A reseller I’m working with has a client that received the following email:

 

--- Start ---

 

From: Andrew Wilkinson [mailto:andrew.wilkinson@...]
Sent: Wednesday, 24 January 2018 1:14 PM
Subject: Just shared a file with you
Importance: High

 

Andrew used Docusign to share some document files. Kindly press "review document" to access the file.

 

REVIEW DOCUMENT (<- was a hyperlink that I have removed)

 

Let me know if you have any questions.

 

Andrew

—————————

Andrew WilkinsonProject Manager   

--- End ---

 

Clicking on the link took you to web site that looked very official (including own https: cert) and showed you 3 buttons.

 

If you then selected the Office 365 button you ended up on what appears to be an Office 365 login page. There you would put in your credentials and they would be stolen. A average user would know no better and happily surrender their credentials.

 

So, typical phising scam site, which is now unavailable and most likley taken down. The actual URL was:

 

https:<whack><whack>clasiqo-viewerdoc.com/*&%5e%25$%23@*&%5e%25$%23@*&%5e%25$%23@*&%5e%25$%23@*&%5e%25$%23@*&%5e%25$%23@/office.php

 

Now the customer has Office 365 Advanced Threat Protection in place with safe links configured. The idea with safe links is that the end users is warned when they go to a dodgy web site. Clearly, the one above fits that criteria yet safe links didn’t pick anything up. So, to the client’s mind Office 365 ATP safe links is not performing the role it should in protecting them.

 

I however fully appreciate that safe links is a reputation based system that requires reference to some sort of database of link reputation. If they link is unknown then safe links is not going to work. I in fact tested this link on a few security sites and it was unknown:

 

TREND 
For Home 
Securing Your Journey 
to the Cloud 
ENGLISH 
For Business 
Security Intelligence 
Why Trend Micro 
Support 
Search 
Home > Site Safety Center URL Rating 
Site Safety Center 
With one of the largest domain-reputation databases in the world, Trend Micro's web reputation technology is a key component of Trend Microw Smart Protection Network"" 
Is it safe? 
https://clasiqo-viewerdoc.com/*&%5e%25$9 
CHECK NOW 
https://clasiqo-viewerdoc.com/*&%5e%25$%23@*&%5e%2 
Is it safe? 
Untested 
How would you categorize this URL? 
Newly Observed Domain 
Because you were curious about this URL, Trend Micro will now 
check it for the first time. Thanks for mentioning 
Domains that have not been classified by Trend Micro and were 
recently observed for the first time or recently became active, but 
are not necessarily newly registered, such as throwaway 
domain.

 

So I get that safe links can only deal with what it knows.

 

My issue is getting in touch with someone at MS to let them know that this site slipped through safe links and they should in fact add it to their database. Secondly, I would again like to share this information with the appropriate people inside MS so they can take action to improve the safe links service. Finally, I would like to understand what action could be taken with Office 365 in the future to migitate this as much as possible.

 

4 Replies

Support case and escalation should be the correct way to handle this. You can also submit phishing messages via the Outlook/OWA add-in, but that doesn't usually result in hearing back from anyone at MS.

 

I don't think there is a separate method to report on safe link false negatives, but I can spam few contacts...

best response confirmed by Robert Crane (MVP)

Thanks @Vasil Michev but the issue isn't technically malware, it is more phishing. The problem is that 'reporting' is done via Outlook Junk mail in OWA which is not what 'average' users work with, they are normally on Outlook on the desktop.

 

You have provided some options in that link that allow possible submission for analysis and agree that escalation via a support call is the best option. However, that doesn't protect the client at the  point of incoming which is the concern here.

 

I appreciate in safe links are reputation based and if they aren't as yet reported they don't appear in the reputation database. For some reason this reseller is claiming that their clients are getting lost that don't get detected by ATP safe links.

 

Unfortunately, there probably isn't an easy answer here and I'll go back to them with what you've provided. Thanks.

The add-in is also available for Outlook, and is a good idea to deploy it to users. I've also reached out to the Exchange folks to see if there is a better method to report such issues, but I cannot promise anything on that front.