locked
Website coming up as false positive with MS Advanced Threat Protection RRS feed

  • Question

  • The firm I work for subscribes to MS Advance Threat Protection.  I subscribe to an email newsletters that arrive several times a day from noreply@spiceworks.com.  Starting two days ago when I click a link in the email, that MS Advanced Threat Protection has rewritten for protection, from noreply@spiceworks.com, I am directed to a website from MS/Office 365 states that the website is classified as malicious.  I was not able to insert an image of the MS/Office 365 warning.

    I have tried whitelisting the email address noreply@spiceworks.com and domain Spiceworks.com come within the Exchange Admin Console of O365.  I have checked for a way to have whitelist the site within the Security and Compliance admin but have not found a way.

    Is there a way to have the links in the email whitelisted so I can continue to the page within the Spiceworks website?

    The URL from the email below notes that the website is spiceworks.cmail19.com. Can this be whitelisted somehow?  Below are a URLs from the newsletters.  The first blocks the site and takes me to the Malicious Website Warning page.  This URL contains spiceworks.cmail19.com. I am blocked if any URL contains the Spiceworks.cmail19.com.  I am not blocked iIf the URL contain Spiceworks.cmail29.com.  Below are two sample URLs.

    Note:  In both URLs I changed my email address in the URLs to username%40domain.com from my actual email address.

    Blocked URL from September 27, 2017 containing spiceworks.cmail19.com:

    https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspiceworks.cmail19.com%2Ft%2Fn%2Fi-l-1eebb5e2a3d511e78d82d9312d118523-l-h-r-l%2F&data=02%7C01%7Cusername%40domain.com%7Cd15c71dd38aa47b3078408d505f903ae%7C5eeefa2398824fd29ac407bb74d23ce8%7C0%7C0%7C636421489425137893&sdata=y4%2FCpD9ABO807IbZt9Uu5LruKvAKC%2F6mjgJ1IlMctlU%3D&reserved=0

    This URL from September 22, 2017, allows me to visit the topic referenced in the email.  It contains spiceworks.cmail20.com:

    https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspiceworks.cmail20.com%2Ft%2Fn%2Fi-l-9e9298079fa811e7be5e93cf22d9c67c-l-h-r-l%2F&data=02%7C01%7Cusername%40@domain.com%7C47f1fc449054496122bb08d501cc8414%7C5eeefa2398824fd29ac407bb74d23ce8%7C0%7C0%7C636416900260246487&sdata=vpg85wBQm3e4BKXuKJ4N2%2FxuXjVlBbQR5hzGZNyxQF4%3D&reserved=0

    The only difference that I can see is that in the blocked URL the references spiceworks.cmail19.com and the unblocked is to spiceworks.cmail20.com.  Today's emails including spiceworks.cmail19.comare blocked while those containingspiceworks.cmail20.comare not blocked.

    Does MS Advanced Threat Protection need to whitelist spiceworks.cmail19.com?  Is there a way for me to modify something in our O365 tenant admin settings that will allow access to the pages the email URL references?

    Thank you for your help.

    Thursday, September 28, 2017 3:40 PM