If you happen to receive a ton of notifications today from Microsoft Defender indicating that it has detected a virus threat, there’s a likelihood that this isn’t the case. Today morning, several users have lodged reports indicating that they have received several notifications from the tool indicating that it has detected malware.
However, this isn’t the case. These are legitimate URL links that the service has mistakenly marked as malicious.
We're investigating an issue where legitimate URL links are being incorrectly marked as malicious by the Microsoft Defender service. Additionally, some of the alerts are not showing content as expected. Further details can be found under DZ534539 within the admin center.
— Microsoft 365 Status (@MSFT365Status) March 29, 2023
Microsoft has already acknowledged the issue via its Microsoft 365 Status account on Twitter and has further indicated that it’s investigating the matter. Some users have also reported that they are unable to launch the alerts and incidents page.
You might also want to investigate why Defender is not letting me investigate my own incidents: pic.twitter.com/HH8AGyuxsg
— Adrian Amos (@ahamos) March 29, 2023
After investigations, Microsoft narrowed down the issue to recent enhancements it had made to the SafeLinks feature which in turn caused Microsoft Defender to register the new additions as malware, thus causing it to send out false alerts to users. The company has since reverted these enhancements and has patched the issue.
We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue. More detail can be found in the Microsoft 365 admin center under DZ534539.
— Microsoft 365 Status (@MSFT365Status) March 29, 2023
The SafeLinks feature is designed to provide URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, Teams messages, and other locations.
Let us know if you’re still encountering this issue in the comments.
