User impact: Admins received false alerts of user click activity for malicious URL links.

More info: Users that clicked on known safe URL links were allowed to proceed as expected; however, an error within the SafeLinks alerting service incorrectly generated email alerts to admins stating that “A potentially malicious URL click was detected” for this action. While these links did not present risk to your organization and did not prevent users from accessing legitimate URLs, the incorrectly generated alerts were delivered to the same alert queue as valid URL click alerts.

We previously reported through this notification an issue in which admins were intermittently unable to access additional details for URL click alerts from the ‘View alerts’ link within an alert email or in the Microsoft Defender admin center. Further details around this impact scenario may be found under DZ534548.

Final status: We’ve identified that the recent addition of multiple safe URLs to the SafeLinks feature caused the URL click logging service False Positive configuration rule to incorrectly begin generating false positive records to the alerting service. These alerts were then delivered to admins as notifications of a potentially malicious URL click action from a user.

We’ve reverted these additions and confirmed that admins are no longer receiving the false activity alerts. We’re working to mark all false positive alerts as resolved and are building a full list of URLs associated with these alerts; however, we’ve found that a large amount of them originated from URL clicks directing to Zoom.us domains. Admins may dismiss any of the alerts from this domain.

Start time: Wednesday, March 29, 2023, at 7:00 AM UTC

End time: Wednesday, March 29, 2023, at 5:15 PM UTC

Scope of impact: Impact was specific to any admin served through the affected infrastructure.

Preliminary root cause: A recent change to add a number of URLs to the SafeLinks service as known safe domains inadvertently triggered a malfunction within the false positive configuration rule for URL click logging, which caused the service to begin generating false alerts of malicious URL clicks which were then sent to admins as email alerts and visible as investigations within the Microsoft Defender admin center.

Next steps:
-We’re working to mark all false positive alerts as resolved within the Microsoft Defender admin center.
-We’re working to resolve the issue causing admins to intermittently be unable to access alert details from the email link.

A Post-Incident Report will be published for this event within five business days.