Unsafe URL Detection

dvsken1976

Hi,

I lately have some Unsafe URL Detections within the collaboration Protection detections. In our policy we have 2 settings under exchange : Malicious url and Suspicous url. Both Are on Quarantaine. What is best practice here? How can we see if the Detection is with the Malicious or Suspicious setting? Because in the detection it just says "harmful url" . Thanks for sharing best practice tip/setting

Sethu Laks

Hi @dvsken1976

Thanks for reaching our the WithSecure community and raising your question about the "Unsafe URL Detections" you’re seeing in Elements Collaboration Protection and how your policy handles them. Here’s a simplified overview to help you understand and manage these settings:

1. Policy Settings Overview: Your policy includes two Exchange URL Scanning options: Malicious URL and Suspicious URL, both currently set to Move item into quarantine.

• Quarantine (Recommended): This is the safest option. Quarantined items are stored securely and cannot cause harm, and you can review and release them if needed. Choosing Delete item would remove the email permanently.
• Alternative for Suspicious URLs: For URLs that might be risky but aren’t confirmed malware, some admins use Modify the subject instead. This delivers the email to the user but adds a warning (like "Malicious URL content") to the subject line.

2. Viewing the Specific Detection Type: If a notification just says "harmful URL," you can check the portal for the exact classification:

1. Go to the Detections page in the Collaboration Protection portal.
2. Filter by Type of threat.
3. You’ll see it categorized as either Harmful (confirmed malware) or Suspicious.
4. Admin notifications also include a variable ($URL-THREAT) showing the exact reason the URL was flagged.

3. Extra Tips & Best Practices

• Trusted and Blocked Websites: Improve scanning accuracy by configuring sites:
  • Trusted websites are skipped in scanning.
  • Blocked websites are explicitly blocked (and take priority over trusted ones).
• Reporting False Positives: If a URL looks incorrectly flagged, you can report it to the WithSecure Tactical Defense team from the detection details page for review.

Hope this helps! If you run into any trouble adjusting these settings or reviewing quarantined items, feel free to ask here.

Best regards,
Sethu
Community Moderator | Technical Support Engineer, WithSecure https://www.withsecure.com/