Microsoft Defender is mistakenly flagging legitimate links as malicious, and some customers have already received dozens of alert emails since the issues began over five hours ago.
As the company confirmed earlier today on Twitter, its engineers are investigating this service incident as a false positive.
"We're investigating an issue where legitimate URL links are being incorrectly marked as malicious by the Microsoft Defender service. Additionally, some of the alerts are not showing content as expected," Microsoft said.
"We've confirmed that users are still able to access the legitimate URLs despite the false positive alerts. We're investigating why and what part of the service is incorrectly identifying legitimate URLs as malicious."
In an update added to the Microsoft 365 Admin Center portal, Redmond confirmed that admins would likely receive an increased number of high-severity alert email messages saying that 'A potentially malicious URL click was detected.'
The company also confirmed reports of issues accessing the alerts' details when clicking the 'View alerts' link in the emails.
"We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan," Microsoft added. "Impact is specific to any admin served through the affected infrastructure."
Earlier today, Redmond issued another service degradation advisory via the admin center portal, notifying admins that the alerts and Incidents pages might be inaccessible.
Update March 29, 15:08 EDT: Microsoft says the false positive issue has been addressed by reverting recent updates to the SafeLinks feature.
We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue. More detail can be found in the Microsoft 365 admin center under DZ534539.
— Microsoft 365 Status (@MSFT365Status) March 29, 2023
Comments
Mahhn - 1 year ago
I opened multiple tickets as the day was horrid. It Only flagged every zoom link in email and every time anyone joined a meeting another alert. not only is this the worst security tool, now they are using it to try and push people from zoom to teams. Very dirty move. I could write a book with all the terrible things about defender, but I don't have another life to give to that disaster.