INKY incident

Informational Update for Users of Office 365

Notice Resolved View vendor source →

INKY experienced a notice incident on March 29, 2023, lasting 22h 7m. The incident has been resolved; the full update timeline is below.

Started
Mar 29, 2023, 02:04 PM UTC
Resolved
Mar 30, 2023, 12:12 PM UTC
Duration
22h 7m
Detected by Pingoru
Mar 29, 2023, 02:04 PM UTC

Update timeline

  1. monitoring Mar 29, 2023, 02:04 PM UTC

    We are monitoring incident DZ534539 as described on Twitter at https://twitter.com/MSFT365Status/status/1641048649525260289 Microsoft 365 Defender Incident ID DZ534539 Title: O365 Admins are receiving false alerts that malicious URLs have been clicked User impact: O365 Admins may be receiving false alerts that malicious URLs have been clicked. More info: Specifically, the alert emails refer to 'A potentially malicious URL click was detected'. Additionally, O365 admins may be unable to view alert details using the 'View alerts' link in the emails or in the Microsoft Defender portal. This issue does not prevent the user from accessing the legitimate URL. Current status: Microsoft has confirmed that the false positive alerts are generated when a O365 user clicks on a legitimate URL, as the legitimate link is being incorrectly marked as a malicious. This issue does not prevent the user from accessing the legitimate URL. Microsoft is reviewing network trace logs and diagnostic data related to URL reputation, to better understand which part of the service is incorrectly identifying the URL as malicious. Scope of impact: Impact is specific to any O365 admin served through the affected O365 infrastructure.

  2. monitoring Mar 29, 2023, 07:06 PM UTC

    Microsoft is stating the service is restored and they are working on cleanup Microsoft has identified that the recent addition of multiple safe URLs to the SafeLinks feature caused the URL click logging service False Positive configuration rule to incorrectly begin generating false positive records to the O365 alerting service. These alerts were then delivered to O365 admins as notifications of a potentially malicious URL click action from a user. Microsoft has reverted these additions and confirmed that O365 admins are no longer receiving the false activity alerts. Microsoft is working to mark all false positive alerts as resolved and are building a full list of URLs associated with these alerts; however, Microsoft has found that a large amount of them originated from URL clicks directing to Zoom.us domains. O365 Admins may dismiss any of the alerts from this domain. Start time: Wednesday, March 29, 2023, 2:00 AM (7:00 AM UTC) End time: Wednesday, March 29, 2023, 12:15 PM (5:15 PM UTC)

  3. resolved Mar 30, 2023, 12:12 PM UTC

    This incident has been resolved.