False-Positive , Office365 Sharepoint marked as Phishing in Content-Filter
Currently the Office365 Sharepoint Node dual-spo-0003.spo-msedge.net (Switzerland) is being marked as phishing.
This stopped one of our customer of over 40 People to access their Sharepoint Data since early morning.
Other SPO Nodes are not being marked. This probably happened, because somebody tried to use the Office365 Sharepoint plattform to deploy some kind of malware/virus ect…
Please investigate this.
Sincerely
Fabian Zünd
SI-Solutions GmbH
All Replies
-
same at one of our customers that are using ATP800: they were not able to use their sharepoint 365 resources
0 -
same with ATP200, do you have a solution? whitelisting, disabling phishing category etc does not change anything.. Our custormers are still not able to connect to their office365 filedata
0 -
Same error on various ATP 200s. Bypass *.sharepoint.com in the URL and DNS Threat Filter exclude and then clear the cache via the Web CLI of the firewall. After that, access works again. (This is only an emergency solution!)
0 -
Hi, how can I clear the cache?
0 -
be careful whitelisting all sharepoint.com, it would be safer to whitelist only your own "customername".sharepoint.com cause there are a lot of phishing campaigns that run with compromised sharepoint.com link inside
1 -
Login via Console
Router# configure terminal
Router#(config) ip dns server cache-flush0 -
Hello @SI_Solutions
dual-spo-0003.spo-msedge.net has been recategorized as Content Server with Minimal Risk. Please check again, thank you.
0 -
Hello @LukeCC @KS1983 @morezh @leop800
Is it also categorized as phishing? we receive several reports like this but some of them are recovered and recategorized as Interactive Web Applications.
Please check if the issue persists, if so, please provide the SharePoint URL and the blocked log, thank you.0 -
We added an exception for customername.sharepoint.com as well as dual-spo-0003.spo-msedge.net to the Content-Filter ⇒ Trusted Websites, DNS-Content-Filter ⇒ Allow List, Reputation Filter ⇒ Allow List (IP of the DNS Entry), DNS-Thread Filter ⇒ Allow-List, and URL-Threat Filter ⇒ Allow List
After this we rebootet the ATP500 as well as our internal DNS Server, becuase the DNS Entry was still pointing at the wrong ip/ the Zyxel Warning Server instead of the normal ip.
The IP-Reputation Filter still marked the IP as malicious so i updated the Signatures by hand this early morning. (1.0.0.20230515.0)
Now the URL dual-spo-0003.spo-msedge.net is identified as:
By Content-Filter: Content-Server
HTTPS: Domain Filter: Content-Server
URL Threat Filter: Not Found
IP-Reputation: Neutral
DNS-Threat Filter: Not FoundTo me it looks resolved with the newest Signatures.
0 -
@SI_Solutions , thanks for your feedback.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight