Microsoft Investigates False Positives in Microsoft Defender

This issue is already causing security personnel a headache.

Microsoft is investigating a concerning issue where legitimate URLs are being incorrectly marked as malicious by Microsoft Defender, according to a recent announcement. The tech giant is also looking into why some alerts are not showing content as expected. While Microsoft is still investigating the issue, they have confirmed that users can still access legitimate URLs despite the false positive alerts.

Microsoft has urged users to check the admin area under DZ534539 for further information and details, which are also available under DX534539 in the admin center.

This issue has caused headaches for security personnel, which is why CloudWize team worked hard to bring a solution with 90% accuracy for cloud security and compliance alerts. Learn more here.

In related news, Microsoft announced yesterday that they had released a new feature called Collaboration Security for Microsoft Teams. The feature is now available for public preview and has been designed to protect organizations against cyber-attacks that target collaboration platforms like Teams.

It is unclear whether this new feature is connected to the investigation into the false positives or if it is just a coincidence. Microsoft continues to investigate the issue and will release updates as more information becomes available.

Earlier this year, in January 2023, Microsoft encountered a false positive issue caused by a buggy Microsoft Defender ASR rule. The rule mistakenly deleted application shortcuts from the desktop, Start menu, and taskbar, rendering some existing shortcuts unusable as they no longer launched linked apps. The issue impacted app shortcuts across managed devices after the Microsoft Defender for Endpoint attack surface reduction (ASR) rule was triggered erroneously.

Typically, this ASR rule (known as “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune) would prevent malware from using VBA macros to call Win32 APIs. However, due to the bug, it caused more harm than good.

Following the incident, Microsoft reverted the ASR rule and advised affected customers to place it in Audit mode or disable it entirely. However, Microsoft noted that it would take several hours for the reverted rule to propagate to all affected customers.

Update (30.3.2023) – Microsoft determined that recent additions to the SafeLinks feature resulted in the false alerts, and they subsequently reverted these additions to fix the issue. More detail can be found in the Microsoft 365 admin center under DZ534539.

However, users report it’s still happening. We’ll keep update on this.

This false positive incident highlights the importance of regularly testing and monitoring security measures to ensure that they are working as intended and not causing more harm than good.