Microsoft Defender flagged legit URLs as malicious
In context: Born as a Windows-specific antimalware program, Microsoft Defender is now a brand encompassing many security services for Windows, the cloud, and Office applications. Which can be a real nuisance, as the AV tends to act weird every now and then.
Microsoft Defender is once again turning its “security” protection against legit features. This time, system administrators have been flooded with security warnings regarding legitimate URL links, which were “incorrectly” flagged as malicious by the Defender service.
Users and admins complained that links coming from Zoom or even Google services were being flagged as a potential security threat, which triggered a flow of security alerts to the Microsoft 365 Admin Center portal. The portal itself was working intermittently, the users said.
Microsoft was soon obliged to acknowledge the issue, stating that they were investigating the incident and the fact that some of the alerts were “not showing content as expected.” The incident, which is being tracked as DZ534539, was seemingly affecting hundreds of accounts worldwide.
After reviewing diagnostic data such as network telemetry, Microsoft was finally able to identify the root cause for the issue. The company later said that some “recent additions to the SafeLinks feature” resulted in the false alerts experienced by admins around the world. Reverting said additions was enough to fix the issue, Microsoft said.
The Safe Links feature is an additional security protection in Defender for Office 365, which is intended for business customers who have Microsoft Defender for Office 365. SafeLinks provides “URL scanning and rewriting” functionality for incoming email messages, searching for potential threats in addition to the regular anti-spam and anti-malware services included in the Exchange Online Protection (EOP) service.
As confirmed by third-party reviews and comparatives, Microsoft Defender is essentially a cloud-based security solution that lacks basic offline detection capabilities third-party antivirus programs usually provide. But the cloud is often poisoning Defender’s ability to properly recognize security threats, as the AV engine is prone to a significant issue with false positives.
Just a couple of months before the URL incidents of these past hours, Defender started to “kill” Start Menu shortcuts, icons, and even executable files from users’ PCs. That time, the issue was caused by an ASR rule modified by a recent update for the antivirus.