Microsoft Defender identifies Google and Zoom as malicious

The Windows native security app had “gone rogue” and was misidentifying legitimate URLs as malicious.

This week Microsoft confirmed that its Defender security platform, which is delivered as a part of its Windows operating system, was mistakenly tagging legitimate websites.

On Wednesday, Microsoft tweeted via their account @MSFT365status that they were investigating an issue in which some non-malicious URL links were being incorrectly marked as malicious by Microsoft Defender.

We're investigating an issue where legitimate URL links are being incorrectly marked as malicious by the Microsoft Defender service. Additionally, some of the alerts are not showing content as expected. Further details can be found under DZ534539 within the admin center.
— Microsoft 365 Status (@MSFT365Status) March 29, 2023

A short time later, Microsoft again tweeted, confirming that users were still able to access the legitimate URLs despite the false positive alerts.

The Register reported that users on Reddit were complaining that sites like Zoom and Google were being tagged as potentially dangerous, triggering a flood of alerts. To add to the problem, one user wrote that the Defender portal is “up and down”, making it difficult to investigate the alerts, according to the report.

System administrators and IT professionals were directed to the Microsoft Admin Center for further information. The incident reference number was given as DZ534539.

Indeed, the report said one user noted that Microsoft posted a message in the Admin Center saying that admins “may be receiving an unexpected amount of high severity alert email message”.

“The high severity alert emails refer to ‘A potentially malicious URL click was detected”, according to the note. “Additionally, admins may be unable to view alert details using the ‘View alerts’ link in the emails”.

Another admin reportedly posted that Defender is “classifying all ZOOM.US a malicious URL, detecting all clicks as potentially Malicious”. The admin added: “We’ve checked several of those URLs and all them seem a legit resource”.

Issue resolved

Late Wednesday, Microsoft determined that changes to SafeLinks had caused the problem. SafeLinks is a feature that scans incoming email for malicious hyperlinks and attachments,

“We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue”, the company tweeted.