Microsoft’s Defender antivirus software has mistakenly flagged some safe URLs as malicious, causing confusion among users. Users have reported that Zoom links and Google links were among the URLs mistakenly flagged as dangerous. Microsoft acknowledged the issue on Twitter, saying its engineers were working on a fix. The company also confirmed that users were still able to access legitimate URLs despite the false positive alerts.
A later update on the Microsoft 365 Admin Center portal stated that admins should expect an increased number of high-severity email message alerts saying “A potentially malicious URL click was detected.” The update also warned that admins could have trouble viewing the details by pressing the “View alerts” link in the messages.
“We’re reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan,” Microsoft said. “Impact is specific to any admin served through the affected infrastructure.”
After a few hours, Microsoft released another update stating that the false positive issue had been addressed. The problem was reportedly caused by recent additions to the SafeLinks feature, which were subsequently reverted to fix the issue.
“We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue,” Microsoft said in a tweet. “More detail can be found in the Microsoft 365 admin center under DZ534539.”
False positives are a common problem in the antivirus industry, but they can be a nuisance for users and administrators. In this case, Microsoft was quick to acknowledge and address the issue, which should alleviate concerns among affected users.
