URL detonation reputation
1 TopicURL Detonation Reputation - How do you like it?
I personally have found this detection technology to be a huge pain in the buttocks. To me, this feature doesn't really look at specific threats or risks, it just says "You cannot do anything that involves this domain name". And with that analogy, "involves" translates to any of the following: Domain is in the subject or body One of the included recipient addresses to which the message is addressed uses the domain. One of the recipients who show in the body of the email due to it being a conversation/thread, uses that domain in their address. An attachment includes that domain within its text (PDF, Word, Excel, TXT, all personally observed by me). These things get blocked as "High confidence phish". To me, they are not that whatsoever, until the message itself is doing some of the "phish" verb. This feels like an overstep on the verdict and I'd prefer they come up with a new name for the detection type, as well as a new drop down box for us to choose between MoveToJunk or Quarantine. Most times I've observed this feature "saving" clients, it's a pain in the butt for the client. I will point out the one improvement I've seen since I started belly-aching over this - it is that Microsoft now puts the bad URL/domain from within the attachments, into the list of URLs in the email entity page within M365 Defender portal. So there is at least that there now, which adds the improvement of not having to go through MS Support to find out what is the supposed bad-rep URL. Would like to know if anyone else finds this feature as a pain for the most part, and hear any other suggestions, or just confirmations about my suggestion (new category of detection so we don't have to treat these things like (HC)phish).Solved44KViews2likes31Comments
