{"id":907,"date":"2023-03-30T04:00:33","date_gmt":"2023-03-29T19:00:33","guid":{"rendered":"https:\/\/m365jp.xyz\/?p=907"},"modified":"2023-03-30T04:00:43","modified_gmt":"2023-03-29T19:00:43","slug":"servicerestored-dz534539-microsoft-365-defender-admins-received-false-alerts-of-user-click-activity-for-malicious-url-links","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2023-03-30-servicerestored-dz534539-microsoft-365-defender-admins-received-false-alerts-of-user-click-activity-for-malicious-url-links","title":{"rendered":"[serviceRestored] DZ534539 | Microsoft 365 Defender | Admins received false alerts of user click activity for malicious URL links"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">DZ534539 | Microsoft 365 Defender | Admins received false alerts of user click activity for malicious URL links<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Status<\/th>\n<td class=\"bad\">serviceRestored<\/td>\n<\/tr>\n<tr>\n<th>Classification<\/th>\n<td>incident<\/td>\n<\/tr>\n<tr>\n<th>User Impact<\/th>\n<td>Admins received false alerts of user click activity for malicious URL links.<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>03\/29\/2023 18:23:04<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>03\/29\/2023 07:00:00<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>03\/29\/2023 17:15:00<\/td>\n<\/tr>\n<tr>\n<th>Latest Message<\/th>\n<td>Title: Admins received false alerts of user click activity for malicious URL links<\/p>\n<p>  User impact: Admins received false alerts of user click activity for malicious URL links.<\/p>\n<p>  More info: Users that clicked on known safe URL links were allowed to proceed as expected; however, an error within the SafeLinks alerting service incorrectly generated email alerts to admins stating that \u201cA potentially malicious URL click was detected\u201d for   this action. While these links did not present risk to your organization and did not prevent users from accessing legitimate URLs, the incorrectly generated alerts were delivered to the same alert queue as valid URL click alerts.<\/p>\n<p>  We previously reported through this notification an issue in which admins were intermittently unable to access additional details for URL click alerts from the \u2018View alerts\u2019 link within an alert email or in the Microsoft Defender admin center. Further details   around this impact scenario may be found under DZ534548.<\/p>\n<p>  Final status: We\u2019ve identified that the recent addition of multiple safe URLs to the SafeLinks feature caused the URL click logging service False Positive configuration rule to incorrectly begin generating false positive records to the alerting service. These   alerts were then delivered to admins as notifications of a potentially malicious URL click action from a user.<\/p>\n<p>  We\u2019ve reverted these additions and confirmed that admins are no longer receiving the false activity alerts. We\u2019re working to mark all false positive alerts as resolved and are building a full list of URLs associated with these alerts; however, we\u2019ve found that   a large amount of them originated from URL clicks directing to Zoom.us domains. Admins may dismiss any of the alerts from this domain.<\/p>\n<p>  Start time: Wednesday, March 29, 2023, at 7:00 AM UTC<\/p>\n<p>  End time: Wednesday, March 29, 2023, at 5:15 PM UTC<\/p>\n<p>  Scope of impact: Impact was specific to any admin served through the affected infrastructure.<\/p>\n<p>  Preliminary root cause: A recent change to add a number of URLs to the SafeLinks service as known safe domains inadvertently triggered a malfunction within the false positive configuration rule for URL click logging, which caused the service to begin generating   false alerts of malicious URL clicks which were then sent to admins as email alerts and visible as investigations within the Microsoft Defender admin center.  <\/p>\n<p>  Next steps:<br \/>  -We\u2019re working to mark all false positive alerts as resolved within the Microsoft Defender admin center.<br \/>  -We\u2019re working to resolve the issue causing admins to intermittently be unable to access alert details from the email link.<\/p>\n<p>  A Post-Incident Report will be published for this event within five business days.<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>DZ534539 | Microsoft 365 Defender | Admins received false alerts of user click activity for malicious URL link [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-907","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=907"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/907\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}