Microsoft Defender Falsely Identifying URLs as Malicious

On March 29, 2023, at approximately 8:04 AM ET, Microsoft tweeted via their account @MSFT365status that they were investigating an issue in which some non-malicious URL links were being incorrectly marked as malicious by Microsoft Defender.

For system administrators and IT professionals who have access to the Microsoft Admin Center, the service incident number to reference was DZ534539.

We're investigating an issue where legitimate URL links are being incorrectly marked as malicious by the Microsoft Defender service. Additionally, some of the alerts are not showing content as expected. Further details can be found under DZ534539 within the admin center.

— Microsoft 365 Status (@MSFT365Status) March 29, 2023

Feedback and responses from the Twitter community were immediate, many voicing complaints and frustration as to the frequency of outages and service incidents. As you may recall, a similar service incident (Microsoft service incident numbers EX533537 and TM533635) occurred just two days ago (March 27th) in which Safe Links (Microsoft Defender) was causing delays or failures when users tried to open safe URLs.

Some community responses on Twitter from IT professionals suspected that ChatGPT and Microsoft's new AI integration may be causing the issue, other IT professionals indicated that, no matter what the cause, the issue at hand was negatively impacting their business operations.

At 9:39 AM ET, approximately 90 minutes from their first message, Microsoft tweeted a second message indicating that they were still investigating the whys and wherefores as to Microsoft Defender marking legitimate URLs as malicious. Microsoft also provided a second service incident number, DX534539.

We've confirmed that users are still able to access the legitimate URLs despite the false positive alerts. We're investigating why and what part of the service is incorrectly identifying legitimate URLs as malicious. Further details are under DX534539 within the admin center.

— Microsoft 365 Status (@MSFT365Status) March 29, 2023

At approximately 12:30 PM ET, Microsoft's third message provided little more than what was previously tweeted: that Microsoft was still actively investigating the root cause and no remediation efforts were in place yet.

We're reviewing diagnostics such as network telemetry data to verify the root cause and identify a path to resolution. Further detail can be found under DZ534539 in the Microsoft 365 admin center.

— Microsoft 365 Status (@MSFT365Status) March 29, 2023

Community feedback on social media continued to be split between IT professionals and business leaders genuinely frustrated with the on-going issue and those poking fun at Microsoft's expense.

By approximately 2:30 PM ET, Microsoft provided an update, this time with a bit more clarity as to the cause. Microsoft was confirming that a recent change to the Safe Links feature was the culprit and that a reversion has already been completed.  As noted previously, a Microsoft Defender Safe Links issue was to blame for the March 27th service incident earlier this week.

We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue. More detail can be found in the Microsoft 365 admin center under DZ534539.

— Microsoft 365 Status (@MSFT365Status) March 29, 2023

At this time, the Microsoft service incident DZ534539 appears to be resolved. Until the next tweet from @MSFT365status . . . .

The Importance of Microsoft 365 Monitoring

In a cloud-world, outages are bound to happen. While Microsoft is responsible for restoring service during outages, IT needs to take ownership of their environment and user experience. It is crucial to have greater visibility into business impacts during a service outage the moment it happens.

ENow’s Microsoft 365 Monitoring and Reporting solution enables IT Pros to pinpoint the exact services effected and root cause of the issues an organization is experiencing during a service outage by providing:

• The ability to monitor networks and entire environments in one place with ENow’s OneLook dashboard which makes identifying a problem fast and easy without having to scramble through Twitter and the Service Health Dashboard looking for answers.
• A full picture of all services and subset of services affected during an outage with ENow’s remote probes which covers several Microsoft 365 apps and other cloud-based collaboration services.

Identify the scope of Microsoft 365 service outage impacts and restore workplace productivity with ENow’s Office 365 Monitoring and Reporting solution. Access your free 14-day trial today!