Email: helpdesk@telkomuniversity.ac.id

This Portal for internal use only!

All Categories

All Categories

Search

0 Wishlist

Cart

Categories
More Categories Less Categories

iconTicket Service Desk

All Categories

All Categories

Search

0 Wishlist

Cart

Menu
Home/Microsoft/High Confidence Phish not fixable

High Confidence Phish not fixable

/ 2024-06-06
High Confidence Phish not fixable
Microsoft

Hi all,

 

About a month ago we began getting reports from our customers that they were not receiving responses from our helpdesk. With a bit of further digging it transpired that the common factor was all these customers were using Office 365 with Microsoft Defender, and Microsoft Defender was seeing our main product’s portal URL as a phishing scam.

 

We raised a ticket with support, and have been going backwards and forwards with submissions over the last four weeks, but have made no progress.

 

Microsoft Defender’s quarantine process seems random – we make submissions, and out of 10 submissions for a URL we make in a week, 9 of them will come back with:

 

Unknown – We checked but can’t make a decision right now. We were unable to come to a decision regarding the item. This can occur for a variety of reasons, such as different interpretations by different analysts or the item being inaccessible. Please resubmit the item for analysis.

 

Occasionally, a URL will then come back as No Threats, and maybe for a day we are able to receive an email with said links in it. But then 1 or 2 days later, it reverts back to being a phishing link.

 

It has mostly been confined to the same sub-domain where our portal lives, and different paths within that domain have alternated as being phishing and being no threat. Even when the URLs themselves are not treated as threads, the URL detonation reputation mechanism has marked the entire email as phishing regardless.

 

Today we found out that Microsoft Defender is now classing our signup application which deals with new account sign ups of our product, as a phishing URL. This stops anyone from signing up to our product. The sign up web application sits on a different sub-domain altogether from our main portal application.

 

We have repeatedly scanned all our applications and endpoints, along with our surface management tools, and are sure these are all false positives.

 

We implemented emergency mitigation procedures by buying a new domain that the sign up process can live on, and changing our entire sign up process to use this new domain.

 

As soon as the new process was live, we tested it all, the activation link email worked, but as soon as the completion “welcome email” is sent out, that now gets caught as a high confidence phishing scam because Microsoft Defender has, as of this afternoon, decided that our documentation site that is linked from the welcome email, is also a high confidence phishing URL. This is a simple HTML set of pages served by GitHub pages which is totally detached from the rest of our infrastructure.

 

We have done four submissions so far for the documentation URL, and so far each time we have had that same “Unknown” result we constantly see:

 

 

We offer billing services in a mostly B2B market, so the majority of our customers use Office 365. The impact this problem has had on our business is huge, and now with the problem spreading to other sub-domains within our application including our sign up, this now threatens the commercial viability of our business.

 

Microsoft Defender submissions appear completely broken, they are not able to analyse or permanently determine the status of a URL.

 

We have gone backwards and forwards with support, and repeatedly asked to have this matter escalated, but been met with no response.

 

The threat to our business is huge, but we appear to have no recourse to rectify this problem with Microsoft, where does one go from here?

 

​Hi all, About a month ago we began getting reports from our customers that they were not receiving responses from our helpdesk. With a bit of further digging it transpired that the common factor was all these customers were using Office 365 with Microsoft Defender, and Microsoft Defender was seeing our main product’s portal URL as a phishing scam. We raised a ticket with support, and have been going backwards and forwards with submissions over the last four weeks, but have made no progress. Microsoft Defender’s quarantine process seems random – we make submissions, and out of 10 submissions for a URL we make in a week, 9 of them will come back with: Unknown – We checked but can’t make a decision right now. We were unable to come to a decision regarding the item. This can occur for a variety of reasons, such as different interpretations by different analysts or the item being inaccessible. Please resubmit the item for analysis. Occasionally, a URL will then come back as No Threats, and maybe for a day we are able to receive an email with said links in it. But then 1 or 2 days later, it reverts back to being a phishing link. It has mostly been confined to the same sub-domain where our portal lives, and different paths within that domain have alternated as being phishing and being no threat. Even when the URLs themselves are not treated as threads, the URL detonation reputation mechanism has marked the entire email as phishing regardless. Today we found out that Microsoft Defender is now classing our signup application which deals with new account sign ups of our product, as a phishing URL. This stops anyone from signing up to our product. The sign up web application sits on a different sub-domain altogether from our main portal application. We have repeatedly scanned all our applications and endpoints, along with our surface management tools, and are sure these are all false positives. We implemented emergency mitigation procedures by buying a new domain that the sign up process can live on, and changing our entire sign up process to use this new domain. As soon as the new process was live, we tested it all, the activation link email worked, but as soon as the completion “welcome email” is sent out, that now gets caught as a high confidence phishing scam because Microsoft Defender has, as of this afternoon, decided that our documentation site that is linked from the welcome email, is also a high confidence phishing URL. This is a simple HTML set of pages served by GitHub pages which is totally detached from the rest of our infrastructure. We have done four submissions so far for the documentation URL, and so far each time we have had that same “Unknown” result we constantly see:  We offer billing services in a mostly B2B market, so the majority of our customers use Office 365. The impact this problem has had on our business is huge, and now with the problem spreading to other sub-domains within our application including our sign up, this now threatens the commercial viability of our business. Microsoft Defender submissions appear completely broken, they are not able to analyse or permanently determine the status of a URL. We have gone backwards and forwards with support, and repeatedly asked to have this matter escalated, but been met with no response. The threat to our business is huge, but we appear to have no recourse to rectify this problem with Microsoft, where does one go from here?   Read More

Tags:

Related posts

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data
2024-11-14

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data

Microsoft introduces new adapted AI models for industry
2024-11-13

Microsoft introduces new adapted AI models for industry

IDC’s 2024 AI opportunity study: Top five AI trends to watch
2024-11-13

IDC’s 2024 AI opportunity study: Top five AI trends to watch

Leave a Reply

Your email address will not be published. Required fields are marked *

Adobe
Google for Education
IBM
Matlab
Microsoft
Wordpress
Visual Paradigm
Opensource

Portal Application Package Repository Telkom University, for internal use only, empower civitas academica in study and research.

Information

Contact Us

Copyright © Telkom University. All Rights Reserved. ch