Microsoft’s own Defender antivirus program has erroneously labeled a number of safe links as malicious, sowing confusion among dozens of users.
After one of the affected users posted about the problem on Reddit, others quickly chimed in, confirming they had seen the same issue. For some, Zoom links were classified as malicious, while for others, Google’s links, as well.
Soon after being tipped off, Microsoft took to Twitter to acknowledge the problem and to say that its engineers were working on a fix.
Trouble viewing alerts
"We're investigating an issue where legitimate URL links are being incorrectly marked as malicious by the Microsoft Defender service. Additionally, some of the alerts are not showing content as expected," Microsoft said.
"We've confirmed that users are still able to access the legitimate URLs despite the false positive alerts. We're investigating why and what part of the service is incorrectly identifying legitimate URLs as malicious."
A later update on the Microsoft 365 Admin Center portal stated that admins can expect an “increased number” of high-severity email message alerts saying “A potentially malicious URL click was detected”, and that they can also expect trouble viewing the details by pressing the “View alerts” link in the messages.
"We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan," Microsoft said. "Impact is specific to any admin served through the affected infrastructure."
A few hours later, Microsoft issued yet another update, saying the false positive issue has been addressed. Apparently, the problem was in the SafeLinks feature, and its engineers fixed it by reverting recent updates.
“We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue,” Microsoft said in a tweet. “More detail can be found in the Microsoft 365 admin center under DZ534539.”
- Check out the best firewalls