Every once in a while, Microsoft Defender goes rogue, often ending up flagging legitimate files or URLs as malicious files or links. Today happens to be such a day as Microsoft has confirmed that Defender is causing such issues at the moment. As a result, sysadmins will be receiving a very high volume of such false email security alerts. Over on the Microsoft 365 Status Twitter handle, the Redmond company has announced the bug and provided additional details regarding the bug. The issue can be tracked under "DZ534539" in the Microsoft 365 Admin Center portal.
We're investigating an issue where legitimate URL links are being incorrectly marked as malicious by the Microsoft Defender service. Additionally, some of the alerts are not showing content as expected. Further details can be found under DZ534539 within the admin center.— Microsoft 365 Status (@MSFT365Status) March 29, 2023
Over on Reddit, IT and system administrators are also discussing about the problems and in one of the threads, user x-64 has shared details about DZ534539:
Title: Admins may be receiving an unexpected amount of high severity alert email messages
User impact: Admins may be receiving an unexpected amount of high severity alert email messages.
More info: The high severity alert emails refer to 'A potentially malicious URL click was detected'. Additionally, admins may be unable to view alert details using the 'View alerts' link in the emails.
Current status: We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan.
Scope of impact: Impact is specific to any admin served through the affected infrastructure.
We will keep you posted on further developments.
Update: Microsoft published an update regarding the issue. On its Microsoft 365 Status Twitter account, the company stated:
We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue. More detail can be found in the Microsoft 365 admin center under DZ534539.— Microsoft 365 Status (@MSFT365Status) March 29, 2023
Hence, it looks like it was a bug in the Safe Links feature, which is a malware scanning feature in Defender for Office 365.
15 Comments - Add comment