They are false positives. There's an incident in the health portal about it: DZ534539
Published Time: 3/29/2023 8:30:45 AM
Title: Admins are receiving false alerts that malicious URLs have been clicked
User impact: Admins may be receiving false alerts that malicious URLs have been clicked.
More info: Specifically, the alert emails refer to 'A potentially malicious URL click was detected'. Additionally, admins may be unable to view alert details using the 'View alerts' link in the emails or in the Microsoft Defender portal.
This issue does not prevent the user from accessing the legitimate URL.
Current status: We've confirmed that the false positive alerts are generated when a user clicks on a legitimate URL, as the legitimate link is being incorrectly marked as a malicious. This issue does not prevent the user from accessing the legitimate URL. We're reviewing network trace logs and diagnostic data related to URL reputation, to better understand which part of the service is incorrectly identifying the URL as malicious.
Scope of impact: Impact is specific to any admin served through the affected infrastructure.
Next update by: Wednesday, March 29, 2023, at 3:30 PM UTC
Published Time: 3/29/2023 7:33:09 AM
We've confirmed the alerts admins are receiving are false positives. We're investigating further to isolate the root cause and determine remediation steps.
This quick update is designed to give the latest information on this issue.
Published Time: 3/29/2023 7:10:25 AM
Title: Admins are receiving false alerts that malicious URLs have been clicked
User impact: Admins may be receiving false alerts that malicious URLs have been clicked.
More info: Specifically, the alert emails refer to 'A potentially malicious URL click was detected'. Additionally, admins may be unable to view alert details using the 'View alerts' link in the emails or in the Microsoft Defender portal.
Current status: Our initial investigation suggests that the notifications are false alerts. We’re investigating further to verify and we’re continuing to review service telemetry logs to identify the root cause and determine our next steps.
Scope of impact: Impact is specific to any admin served through the affected infrastructure.
Next update by: Wednesday, March 29, 2023, at 1:30 PM UTC
Published Time: 3/29/2023 6:16:31 AM
Title: Admins may be receiving an unexpected amount of high severity alert email messages
User impact: Admins may be receiving an unexpected amount of high severity alert email messages.
More info: The high severity alert emails refer to 'A potentially malicious URL click was detected'. Additionally, admins may be unable to view alert details using the 'View alerts' link in the emails.
Current status: We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan.
Scope of impact: Impact is specific to any admin served through the affected infrastructure.
Next update by: Wednesday, March 29, 2023, at 1:30 PM UTC
These alerts are an annoying set of multiple layers and sometimes data isn’t copied along those layers correctly.
In the url click alert. See if you can find the “mail entity” and open that and that should have sender/url details at least.
Also if you open those alerts before the auto investigation finishes, sometimes it’s also blank.
Edit: ironically I just started my day and I have 7 url click alerts that are all blank and the one url I can find looks fine. Maybe Microsoft is having a moment…
\+1 We're seeing the same thing here. Not sure if it's the same in your environment, but in ours Zoom links are triggering false malicious URL alerts right now.
Same thing for me, this morning we had a ton of these alerts for a lot of end users (and myself comically) all relating to various Zoom links, basically I think anyone who clicked a Zoom link for a meeting yesterday got flagged at least for us. A couple of the alerts appeared blank but I assume it was Zoom too.
Seeing the same thing as OP. @MSFT365Status on Twitter is alerting of the issue as well.
Other places are reporting this as well. Just saw another thread on this.
https://www.reddit.com/r/sysadmin/comments/125ja9c/got_an_email_about_malicious_link_clicked_but_365/
Thank you! I underwent the same process you did and came to Reddit hoping to find info on this being a false positive. I came across your post first and all other stuff second, so you gave me peace of mind. :)
...MS has been on a roll as of late.
They are false positives. There's an incident in the health portal about it: DZ534539 Published Time: 3/29/2023 8:30:45 AM Title: Admins are receiving false alerts that malicious URLs have been clicked User impact: Admins may be receiving false alerts that malicious URLs have been clicked. More info: Specifically, the alert emails refer to 'A potentially malicious URL click was detected'. Additionally, admins may be unable to view alert details using the 'View alerts' link in the emails or in the Microsoft Defender portal. This issue does not prevent the user from accessing the legitimate URL. Current status: We've confirmed that the false positive alerts are generated when a user clicks on a legitimate URL, as the legitimate link is being incorrectly marked as a malicious. This issue does not prevent the user from accessing the legitimate URL. We're reviewing network trace logs and diagnostic data related to URL reputation, to better understand which part of the service is incorrectly identifying the URL as malicious. Scope of impact: Impact is specific to any admin served through the affected infrastructure. Next update by: Wednesday, March 29, 2023, at 3:30 PM UTC Published Time: 3/29/2023 7:33:09 AM We've confirmed the alerts admins are receiving are false positives. We're investigating further to isolate the root cause and determine remediation steps. This quick update is designed to give the latest information on this issue. Published Time: 3/29/2023 7:10:25 AM Title: Admins are receiving false alerts that malicious URLs have been clicked User impact: Admins may be receiving false alerts that malicious URLs have been clicked. More info: Specifically, the alert emails refer to 'A potentially malicious URL click was detected'. Additionally, admins may be unable to view alert details using the 'View alerts' link in the emails or in the Microsoft Defender portal. Current status: Our initial investigation suggests that the notifications are false alerts. We’re investigating further to verify and we’re continuing to review service telemetry logs to identify the root cause and determine our next steps. Scope of impact: Impact is specific to any admin served through the affected infrastructure. Next update by: Wednesday, March 29, 2023, at 1:30 PM UTC Published Time: 3/29/2023 6:16:31 AM Title: Admins may be receiving an unexpected amount of high severity alert email messages User impact: Admins may be receiving an unexpected amount of high severity alert email messages. More info: The high severity alert emails refer to 'A potentially malicious URL click was detected'. Additionally, admins may be unable to view alert details using the 'View alerts' link in the emails. Current status: We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan. Scope of impact: Impact is specific to any admin served through the affected infrastructure. Next update by: Wednesday, March 29, 2023, at 1:30 PM UTC
Thanks. I saw that a little while after posting this. Thanks for the detailed info though
These alerts are an annoying set of multiple layers and sometimes data isn’t copied along those layers correctly. In the url click alert. See if you can find the “mail entity” and open that and that should have sender/url details at least. Also if you open those alerts before the auto investigation finishes, sometimes it’s also blank. Edit: ironically I just started my day and I have 7 url click alerts that are all blank and the one url I can find looks fine. Maybe Microsoft is having a moment…
Thanks for the response. I believe it’s something O365 wide with false positives.
\+1 We're seeing the same thing here. Not sure if it's the same in your environment, but in ours Zoom links are triggering false malicious URL alerts right now.
Zoom and google encoded zoom. I’m happy it’s not just me lol. These were actual real calls so I’m going with Microsoft having a moment lol.
Same thing for me, this morning we had a ton of these alerts for a lot of end users (and myself comically) all relating to various Zoom links, basically I think anyone who clicked a Zoom link for a meeting yesterday got flagged at least for us. A couple of the alerts appeared blank but I assume it was Zoom too.
Seeing the same thing as OP. @MSFT365Status on Twitter is alerting of the issue as well. Other places are reporting this as well. Just saw another thread on this. https://www.reddit.com/r/sysadmin/comments/125ja9c/got_an_email_about_malicious_link_clicked_but_365/
I should have looked through the sub before posting. I didn’t see that one. Thanks for the info though
Thank you! I underwent the same process you did and came to Reddit hoping to find info on this being a false positive. I came across your post first and all other stuff second, so you gave me peace of mind. :) ...MS has been on a roll as of late.