The problem was traced to Defender’s SafeLinks’ feature.
False positives in Microsoft Defender.
Microsoft tweeted yesterday that Microsoft Defender was erroneously flagging some URLs as malicious.
Defender flags Zoom and other sites as dangerous.
The Register reports that some major services, such as Zoom and Google, were triggering false positives in Defender. Users were still able to access the sites, but the Register says the hundreds of false alerts were extremely time consuming for administrators.
Microsoft fixed the problem yesterday afternoon after finding that the issues were caused by changes to Defender’s SafeLinks’ feature: “We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue. “
Industry comment.
Sean McNee, Vice President of Research and Data at DomainTools, commented:
“Doing Internet-scale scanning of domain and URL data at Internet-scale speed is extremely challenging to get right. The best automation for doing this work always has the possibility for triggering ‘false positives’ -- identifying benign URLs as being malicious. The goal of all of these systems as always is to bring that false positive rate as low as possible while still identifying maliciousness accurately when it appears.
"While I am concerned to see these popular URLs flagged, I applaud Microsoft for acting as quickly as they did to rectify the situation and hope they publish more information about the causes later on.”