Skip links

Microsoft Defender shoots down legit URLs as malicious

Microsoft’s at-times-glitchy Defender service is again causing headaches for IT admins by flagging legitimate URLs as malicious.

Users are complaining that sites like Zoom and Google are being tagged as potentially dangerous, triggering a flood of alerts. To add to the problem, one netizen wrote that the Defender portal is “up and down,” making it difficult to investigate the alerts.

“We just got two email alerts regarding a malicious link being clicked but when we try to browse the security portal, it errors out,” a Redditor wrote.

A system admin said that after getting two email alerts about a malicious link being clicked, they were unable to browse the security portal.

And one Register reader told us: “Our organization has received hundreds of malicious URL alerts from Office 365 for links. These false positives take us a long time to investigate. Microsoft finally admitted that this is affecting hundreds of accounts and tenants worldwide.”

Indeed, the Windows giant is aware of the problem, tweeting out a note at 1304 UTC that it’s looking into the issue.

“We’re investigating an issue where legitimate URL links are being incorrectly marked as malicious by the Microsoft Defender service,” Redmond wrote. “Additionally, some of the alerts are not showing content as expected.”

The biz is tracking the problem as DZ534539.

A user noted that Microsoft in an admin center message said that admins “may be receiving an unexpected amount of high severity alert email message.”

“The high severity alert emails refer to ‘A potentially malicious URL click was detected,'” according to the note. “Additionally, admins may be unable to view alert details using the ‘View alerts’ link in the emails.'”

Microsoft said it is trying to isolate the root cause by poring over service monitoring.

An hour after the first tweet, Redmond followed up, saying that “users are still able to access the legitimate URLs despite the false positive alerts. We’re investigating why and what part of the service is incorrectly identifying legitimate URLs as malicious.”

Regardless of whether they can still access the sites, techies are saying the whole thing is a pain.

Defender is “classifying all ZOOM.US a malicious URL, detecting all clicks as potentially Malicious,” an admin wrote. “We’ve checked several of those URLs and all them seem a legit resource.”

Perusing the Reddit comments, Zoom links seem to be a particular problem, but not the only one. A poster on Reddit wrote that “pictures sent from employees personal GMAIL to work accounts getting flagged (they send pics of their receipts) and zoom links. Many delayed from yesterday.”

All this comes two months after users reported that Defender for Endpoint’s attack surface reduction (ASR) rules suddenly were removing icons and application shortcuts from the Taskbar and Start Menu in both Windows 10 and 11.

Cynics might even say Defender has had a bit of a false positive problem in the past. ®