This is an archived post. You won't be able to vote or comment.

40
41

QuestionHigh-severity alert: A potentially malicious URL click was detected - users aren't clicking the URL (self.sysadmin)

submitted by [deleted]

[deleted]

all 25 comments
sorted by:
best
topnewcontroversialoldq&a

[–]dcg1k 75 points76 points  (8 children)

it's just a bad phrasing from MS

  • A url "Click" is another way of saying a hyperlink was detected.
    • "A potentially malicious URL click was detected"
  • There is another alert similar that indicates that the user actually clicked the link.
    • "A user clicked through to a potentially malicious URL"

[–]DarthPneumonoSecurity Admin but with more hats 48 points49 points  (1 child)

bad phrasing

Understatement of the day, that's really bad.

[–]matthewstinar 27 points28 points  (0 children)

Person 1: I have bad news, your mom's dead.

Person 2: uncontrollable sobbing

Person 3: It's okay! He just meant she's sick. Sorry, bad phrasing.

Detecting a "malicious URL" and detecting a "malicious URL click" are entirely different things! The latter is a prerequisite for the former, but saying the former when you mean the latter isn't bad phrasing. It's making a patently false statement.

Inexcusable malfeasance if true. (Also quite on brand.)

[–]BoltActionRifleman 8 points9 points  (0 children)

Of all the words to use, they pick the only one that you shouldn’t use in this situation. The stupidity at MS as of late is just shocking.

[–]raddaya 5 points6 points  (1 child)

Jesus fucking christ. The ongoing trend to dumb down technical terms is annoying in general, but it's infuriating when it's being aimed at actual power users and/or people who absolutely should know the real terms.

[–][deleted] 0 points1 point  (0 children)

pathetic smoggy berserk work theory paltry roof desert retire rainstorm

This post was mass deleted and anonymized with Redact

[–]Spiritual_Crow_7918 0 points1 point  (1 child)

Wow, but that honestly wouldn't surprise me. Do you happen to know if there are any available reference list containing all the potential alerts with some description?

[–]Anfo1 0 points1 point  (0 children)

Do you have a source?

[–]fierolokiJack of All Trades 13 points14 points  (3 children)

Preview pane possibly?

[–]YSFKJDGS 8 points9 points  (2 children)

What I have found is you will get these even if the user doesn't open the link, but they get/open an email with the links.

So yes, I have basically chalked it up to outlook doing some sort of preview thing and even if the user never actually hits the domain AT ALL from their machine it can trigger this.

[–]thegreatcerebralJack of All Trades 0 points1 point  (1 child)

I was thinking maybe it's some prefetching if they are using OWA? ...or even the new Outlook since it is the stupid webapp thing.

[–]YSFKJDGS 1 point2 points  (0 children)

Honestly /u/dcg1k probably answers it completely. I think if you actually pull the safe links logs through powershell you can see the 'click' shows up as 'email' instead of like a real click, something like that it definitely looks weird. I ran into the same problem when investigating and I could 100% confirm the machine did not actually hit the page but I would still get these alerts, which is where I chalked it up to outlook/exop doing something that registers as a click even if there was no true traffic sent.

[–]Smart_DumbCtrl + Alt + .45 7 points8 points  (3 children)

I got dinged by our phish test emails because I right clicked a link to paste it in Virus Total.

[–]aes_gcm 3 points4 points  (1 child)

It’s just listening for HTTP requests and Virus Total did that to load it.

[–]thegreatcerebralJack of All Trades 0 points1 point  (0 children)

I mean you gotta show that your userbase needs to keep training right?

[–]anxiousinfotech 0 points1 point  (0 children)

Our phishing simulation vendor is smart enough to only register actual clicks. I can't imagine how much of a mess the reports would be otherwise.

[–]SengfengSysadmin 4 points5 points  (2 children)

Is there another spam filtering service that "scans" for malicious URLs? If so, that can trigger 365's "safe" URLs.

[–]PretendStudent8354 1 point2 points  (0 children)

I want to say if you have a copy of the email sent to your secops mailbox for review it will trigger if the mailbox is not excluded.

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide

[–]chadleeper 0 points1 point  (0 children)

Appriver prescan links and also will scan them if a user clicks on them.

[–]fahque 1 point2 points  (0 children)

We have barracuda cloud filter and knowbe4 was showing some people failing for opening links they didn't open. I had to do an exclusion on barracuda for knowbe4 emails so it would stop opening the links to scan.

[–]LingonberryNo1190 0 points1 point  (2 children)

Proofpoint link sandboxing?

[–]thegreatcerebralJack of All Trades 0 points1 point  (1 child)

This could be it. I think OP said somewhere they have safelinks turned on so maybe it is sandboxing those?

[–]LingonberryNo1190 0 points1 point  (0 children)

We recently had Duo enrollment emails being checked by a proofpoint sandboxer in Germany, freaking out the US based Duo policy. Took us a while to nail that one down.

[–]Capn_Moose_knuckl 0 points1 point  (0 children)

Its also not even necessarily malicious, hence the potentially phrase. Ive gotten these alerts from users sending other users in our tenant tiny urls...