Mailspring Link domain is now Classified as Malicious by Microsoft Defender/Office 365

Description
Somewhere between March 27th to March 29th 2021 it appears Microsoft / Office 365 has marked the mailspring domain as malicious, aka Link Tracking now causes emails to be marked malicious by any recipients using Office 365 with ATP/Safe Links (most organizations on O365), and looks very bad to the recipients + makes sending any links basically broken/blocked (including ones in signature) unless disable link tracking.

When sending any email with link tracking enabled in Mailspring, the links get rewritten to the mailspring link domain - when the recipient email server is on Office 365 with ATP, the URL is then rewritten to pass-through O365’s Safe Link domain. When the recipient clicks the link, they’re taken to a O365 page with a giant red warning saying:

This website has been classified as malicious.
Opening this website might not be safe.
https://link.getmailspring.com/link/xxxxxxxxxxxxx

We recommend that you don’t open this website, as opening it might not be safe and could harm your computer or result in malicious use of your personal data.

For Feedback on Microsoft Defender for Office 365

Usually won’t allow you to click through at all, but for our Office 365 ATP we’ve changed the settings to allow bypassing/continuing to the URL if they click through multiple warnings

To Reproduce…
Steps to reproduce the behavior:

  1. Send an email via Mailspring with link tracking enabled and include a link, to anyone on Office 365 with ATP/Safe Links
  2. (on recipient side, click the link and see the warning/block)

Expected Behavior
Be able to use premium features (like link tracking) without being blocked/flagged as malicious by Microsoft

Screenshots

Setup
(Not dependent on version/environment - applies to all as recipient server-based)

  • OS and Version: Arch Linux x64 KDE
    • Installation Method: Arch AUR
  • Mailspring Version: 1.8.0-8983dca2
  • Office 365 Email Provider (Recipient side) with Microsoft Defender/ATP Safe Links

Additional Context
The link sent was simply a link to our own domain with a video (nothing special), links we send constantly company-wide as basically like our internal dropbox. I send these almost every day and never had issues until Monday March 29.

Occurred with 2 different organizations using Office 365 (everyone I sent to on Monday reported the links being malicious, including internally/our own email system). Looks like a blanket block on the base mailspring link domain from what can tell since nomatter what link I send the same occurs.

The entire link domain being marked malicious by Microsoft is likely to have many other major+negative impacts as it’s likely to be merged into Edge/Windows + Microsoft Defender (if not already as O365 ATP is Microsoft Defender), not to mention emails getting blocked/flagged/rejected :frowning:

Side note - had a hell of a time getting this posted lol, kept saying new users can only post 2 links even though I only had the one and modified the others, not sure what’s up but hopefully one of these will go through!

Apparently the headers get counted as links? O_o I had to convert all the

Headers

to bold and then was able to submit lol (otherwise it says new users can only post 2 links as counts each header as a link I guess!)

Edited the original post to include the two links I was trying to from the beginning and all good now at least :slight_smile: Also note I realize this isn’t EXACTLY a typical bug since it’s not necessarily something wrong with the code itself, but obviously has a major impact and is not intended behavior :wink:

Also note I did create a submission in our admin center for the link domain saying shouldnt be blocked, but not sure if that’ll help much on its own.

Hi @F1nny ,

thanks for the report. As this is affecting the Mailspring Domain, this is something @bengotow needs to have a look at. Do you know if there is a way for the domain owner to submit something like this to Microsoft?

Cheers
Phylu

My guess is that someone sent a malicious link using Mailspring with tracking enabled, which would result in a link.getmailspring.com URL redirecting to a malicious site. Generally if a link at a domain is malicious, the entire domain is marked as malicious. It’s a big problem with URL shorteners (I had the same issue when I use to run a URL shortener).

Yea that’s probably accurate RE someone sending a malicious link and it getting flagged for everyone.

Note I did briefly look into how to submit false positives, unfortunately for MS Defender/ATP links specifically, there doesn’t seem to be a ton of information. Did see similar questions on the MS forums and the MS reps seemed to point to UserVoice pages to report, but now UserVoice has been phased out =P

What I did do meantime was submit a false positive for the base URL using our O365 account per Handle false positives or false negatives in AIR in Microsoft 365 Defender | Microsoft Docs

Unfortunately that doesn’t provide much information beyond the submission was completed, and those types of submissions historically haven’t been the best (at least for domain or IP blacklists/RBLs/etc. which had to use IT-specific forms or contact to reverse). Anyone else on O365 with MS Defender/ATP Safe links?

I’ll re-enable link tracking and try to do some tests this week to see what happens now that it’s been a few since submitting the report, thanks!