Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Microsoft SmartScreen is destroying our business
320 points by captain_dfx on Sept 30, 2022 | hide | past | favorite | 195 comments
About a month ago, Microsoft SmartScreen suddenly started flagging the login page of our SaaS dashboard as 'unsafe', scaring away our customers.

We understand false flags can happen. So we took to the official SmartScreen feedback site to report the false flag (as the website owner). Received an email that stated it would take up to 24hrs to analyse: 'If the status of your site has not changed after 24 hours, please contact us with a reply to this message'.

Sep 8 - first ticket sent. Sep 9 (24h later) - nothing. So we replied to the message as instructed. Sep 12 - still nothing. One more reply sent. Asked some of our customers to report our site as safe. Sep 15 - crickets. Tried calling phone support, impossible to get through; they just hang up on us. Reached out to MS support on Twitter, said they would look into the case. Sep 22 - no changes - MS twitter support has been unable to find the correct person internally. We replied to the SmartScreen ticket once more. Opened two new tickets. Asked more customers to report the site as safe. Sep 30 (Today) - now the warning has started to spread from our login page to our entire dashboard. Still no word from Microsoft.

We are totally baffed that MS allows a false flag to stay up this long, totally ignoring us for almost a full month, meanwhile destroying a business that did nothing wrong...

We suspect one of our competitors is responsible for falsely reported us. Is 'weaponized SmartScreen' a thing?

Does anyone have a similar experience? Any advince on resolving this matter is greatly appreciated!




Very important that you develop complete confidence that there isn't anything wrong with your product. It's not uncommon, in fact it's very common, for compromise kits for websites to take measures to avoid detection. A common one is only serving the malicious content when a specific referrer is present (I've seen this be Yahoo Search in the case of compromised Drupal installations multiple times, not really sure why). It might be wise to engage a security firm to conduct an investigation if you don't have in-house expertise in this area. You should definitely review logs carefully for any unusual inbound traffic. Sometimes looking up your own domain on services like virustotal can reveal the problem, as it might turn up samples of malware retrieved from your website.

I say this because I have been involved in this exact situation multiple times: website flagged by some or other security service, website operator has no idea why and insists it is fine, website turns out to be serving the landing page of a major pharma scam campaign unnoticed by the website operator due to anti-detection measures.


This!

I worked with a very well-known university that unknowingly had been compromised and was being flagged for malware by various protective services.

They, assuming it was just a false positive, put up a banner at the top of their webpages that said they were falsely being flagged and that visitors should ignore any warnings and essentially shut off any protections for their website.

Meanwhile their site was compromised and attempting to dump payloads onto visitors.

Have you ensured you are not compromised?


Should they then not just reply with "You're on the list because of the malware payload at <URL>"?


Just a guess, but I think they don't want to serve as an oracle for the people whose malware they are trying to block.

Not saying that isn't shit or frustrating.


> don't want to serve as an oracle for the people whose malware they are trying to block

Those people don't have a registered business; The people contacting Microsoft do.

There are probably a bunch of excuses we can come up with that would make sense... but I think most people know the real reason, it's the same as with Google and Apple... they don't do customer support, and they don't take responsibility for any negative effects their services might have on others, at least not until someone big enough makes a fuss or lawyers get involved.


> Those people don't have a registered business; The people contacting Microsoft do.

I don't think you understand how sophisticated malware distribution can be.

There's absolutely nothing stopping a "legitimate business" from distributing malware.


He's not saying there is. He's saying that it's pretty unlikely that the malware authors are going to phone Microsoft and ask why their site is flagged, so putting in some reasonable road blocks that a legitimate business would definitely jump over (e.g. talking to real people) would be plenty to remove the oracle issue.


They don't? How do you know? Having one seems like it would be a real benefit.


Saying they detected malware already does that.

Being slightly more specific shouldn't be a problem.


Sure, maybe not display it in the publicly visible warnings, but if the admins of a domain email you from the same domain as the flagged site, then maybe providing more detail at that point is an acceptable method of fixing the issue.

Saying "we know you are compromised and know exactly where, but we're not going to tell" is very childish. Now, if they said for a nomial fee, we'd be happy to share the results of our work, would be another thing totally.


"we know you are compromised and know exactly where, but we're not going to tell"

The sad think is they didn't even tell that, they gave the admins no ways to be able to differentiate between:

- we don't care if we destroy your company with a false positive and

- we are sure we are right, if you didn't do it intentionally you are probably compromised


TXT DNS records are used by Google, Microsoft and LE exactly for this purpose.


Not sure what you are saying here. I've only ever used TXT DNS records by copying&pasting whatever the original certbot told me to do or when setting up custom domain with 3rd party email. I have no idea what they do, who can read them, when, where, why, etc.

Are you saying that if you have this info correctly set up, these companies can verify your email domain is the same to provide assistance? What does law enforcement do with this info?


> but if the admins of a domain email you from the same domain as the flagged site

Email domains aren't always match with domains running the web-site (don't forget only ten years ago www. was still expected and people redirected you there from non-www. name).

But having access to DNS zone you can prove 'ownership' (at least technical) of the domain (even if it doesn't have the associated MX records for e-mail), precisely why LE is doing it.

> by copying&pasting whatever the original certbot

> I have no idea what they do, who can read them, when, where, why, etc

Oh my...

> Are you saying that if you have this info correctly set up, these companies can verify your email domain is the same to provide assistance?

More like "to prove you are the one responsible for tailspintoys.com - create a TXT record under that domain with 'dylan604 is admin here'".

> I have no idea what they do

TXT records are just plain text strings (in ASCII), nothing more, nothing less.

> who can read them, when, where, why

Everyone, anytime, anywhere, because it is you who placed it there in a system of Public DNS servers


Except that it could help attackers beefen up their tools. A certain amount of obscurity is good to keep the attackers from having too much information.

I've been in the situation where a company kinda 'ghosts' me before. And found out I was indeed the bad player (unintentionally, of course).


In this case, that sure would be helpful. Now imagine that you're running a website that is intentionally trying to trick people into installing malware. You've successfully evaded tools like Smart Screen but now you've ended up on the list.

You're not sure which one of your virus payloads set off their screen so you open a ticket. And Microsoft is supposed to tell you exactly how to get off their list again?


Yes, Microsoft should. Because hunting for shit people shouldn't be an excuse to hurt innocent people ever.

Just like you shouldn't be beaten by the cops without knowing a reason for it.


How does MS know they aren't hosting it on purpose? That might cause them to just change the malicious URL.


If you're hosting it on purpose, then you already know that it's the culprit and would've tried to change it anyways. I don't really see a scenario where telling the person who opened the ticket what the issue is would weaken the security measures or detection strategy.


That's not what is being said here, the domain is blacklistes and my comment was about MS not the bad guy telling the site owner the malicious URL. If you tell them the URL, they will change it and claim it was a compromise so they can increase campaign lifetime.


... MS is telling everyone that the root domain is on a black list. A malicious actor doesn't need more than that, they already know the exact URL that malware resides at.

A non-malicious actor doesn't know, so telling them the exact URL at least tells them where the compromised asset might be.


Yes a malicious actor needs more than that because compromised domains are valuable and keeping them alive longer means more money...

A non-malicious actor who needs the URL isn't monitoring or responding to the incident properly. Threat actors do take advantage of this and simulate a fake cleanup. Actually they exclude certain ips and asns on phishing kits so that visiting the url gives you a 404 or a webhosts "cleanup" page.


Easy. Scenario: Malicious attacker looks for exactly what Microsoft detected, and fixes each specific detection while keep operating the undetected ones. The end result would be operational malicious site, without being detected.


That's exactly what I am saying...


Actual bad guys, hosting $Evil on purpose, are extremely unlikely to need any "change the URL" hints.


They don't need one but having one maximizes campaign life.


How on earth does it do that?

If I put malware at xyz.com/mybadpage and MS starts flagging xyz.com, how on earth do I "maximize campaign life" by being told xyz.com/mybadpage has malware?


Imagine that you have put malware in xyz.com/mybadpage1, xyz.com/mybadpage2, and xyz.com/mybadpage3 pages. MS flags you, and you query MS. They tell you they see malware on the first two urls. Now you gained information about their blindspots.

You can capitalise on this multiple ways. You can remove the first two and hope they remove the flag. You can design your next attack better so it is more like mybadpage3. Etc


Disagree: $Evil_Site_Owner can easily test MS's blind spots by putting malware on numerous web sites, then seeing which of those sites are flagged. And if MS is not systematically scanning all the URLs...well, "MS failed to notice malware at $URL, which my web server logs say MS has not visited" is pretty useless information.

(Not that I think MS should enumerate malicious URL's, unless $Site_Owner is paying for scanning service. A "we noticed malware at $URL" is generally 95% of the possible value of such disclosures.)


A bad actor can do the same thing by putting together

Mybadpage1.com

Mybadpage2.com

Mybadpage3.com


Except if you're a malicious actor you can also do:

msscanninghoneypot1.com

msscanninghoneypot2.com

msscanninghoneypot3.com

You're pigeonholing a bad actor's actions into good actor behavior, it doesn't work like that...

edit: missed that multiple replies cover this


You move it to xyz.com/anotherbadpage and tell MS it has been cleaned up. They do this all the time. Speaking from first hand experience. This is a very simple topic, why are there so many people not understanding this?!


Bad actors know

1. It's detected (because Microsoft told everyone)

2. What was detected and where it was (because they put it there)

Good Actors only know 1.

So by telling someone 2 they are giving bad actors no new information, and good actors valuable information.


1 is for domain only.

2, MS only knows some information that shows the site is malicious, it cannot tell if it is a compromise or just a malicious site unless it perhaps looks at reputation but even then the site owner should be able to tell new or malicious files on their webserver withour MS telling them, if they can't even do that they have bigger problems and threat actors do abuse anti-abuse systems like this all the time and they do deploy multiple things on your site as well as use it to attack other sites and monitor the reputation of their infrastructure.


This assumes the bad actor only put one thing there. If they put multiple things there they don't know what was detected unless told.


But if a bad actor wants to know what's detectable they can just put each malware on separate domains.


I considered that but it didn't seem logical. If it's on purpose, it would be trivial to change the URL and then go "ok it's clean now please remove the flag"

How does keeping secret (from the bad guys) where the malware is thwart the bad guys?


MS is already stopping the bad guys by blocking the domain. You are supposed to do proper IR and clean up after yourseld including finding out the cause of the compromise which MS can't help with. What happens in the real world is people delete the file or webshell and think the bad guys are gone and if MS unblocks them then the campaign continues.

Or the bad guys themselves do that pretending to be the site owner. MS analysts can only inspect the normal site and the malicious URL that has now been removed in order to unblock it.

This is how abuse and IR works, I am surprised at the naivette of the responses here.


What are you even talking about? What is IR?

What happens is a website is blocked and the site operator has no idea why. The defense of "we can't share any information as to why you got punished as it might help bad actors avoid punishment" should not be an acceptable stance. It's the equivalent of being thrown to prison without due process and just ignoring false positives. It's a very "natural" way of acting, but that does not make it the right one.


IR is incident response, it means you find out everything the bad guys did and how it was compromised and fix it all. You should contact a security company or professional to help you if you don't know. I have used the webshells of compromised sites where the owner tries to cleanup but the webshell is still there hosting different campaigns.

You should secure your site better and have someone who knows what they are doing (there are paid WAF and web security vendors) monitor and respond to security incidents. You are not being punished, MS is protecting its customers. You should blame the hacker not MS for the impact of the hack. It's like someone messed with your car tank and tires and the police stop you from driving it because it is unsafe to other drivers, they are not punishing you but protecting other people from being hurt by your property.


> It's like someone messed with your car tank and tires and the police stop you from driving it because it is unsafe to other drivers, they are not punishing you but protecting other people from being hurt by your property.

The police says why they stopped you though! Which implies what you have to change in order to be able to drive again. They will not say "you have to figure it out on your own or the guys who messed with your car would have it more easy."


Yes, because the police serve you but MS serves its customers and even the police will not diagnose your car for you, they might say "we see gas leaking, stop driving" but they won't tell you if the fuel line, tank, injector,etc are responsible. MS's block is for MS customers not the public, MS also is not the only vendor that does this, there are dozens of vendors that provide domain reputation services like this to their customers. MS can block random sites and is their right, if you disagree stop using edge and use firefox maybe.


> MS can ___ and is their right, if you disagree stop using ____.

This is a pretty weak position to fall back to.

MS is disparaging their business and is trying to make themselves unaccountable. And they aren't customers so they have nothing to walk away from.


I live in the USA. Victim blaming "they did something to deserve it" is at best unethical. In court theoretically I would have the right to demand to see evidence. "Hold my beer" is not likely to be sufficient except in egregious circumstances.

With that said, there is an epidemic of muppet thinking right now. It's not just the intertubes. Suppose a credit card company pulls your credit report because they say you applied for credit with them. No funds are stolen. You demand they show proof. They say nope, because TTPs. So: how do I know it's a one-off, and not data theft by fraud at scale? Off goes a letter to the FTC...

Do you think like a muppet? Here is satirical example (http://athena.m3047.net/temporizing.html):

    TEMPORIZING FOUND NOT TO BE A FORM OF LYING
    
    "Temporizing", which is speculating from what we know now as to the
    motives of actors in the past and presenting that as historical fact,
    has been found not to be a form of lying. "Social proof demonstrates
    that temporizing is not lying" said a social commentator.
    
    The news was greeted optimistically as a good day for humanists and
    levels the playing field because "now the standards of proof we need
    to meet for the existence of society are the same as for religion".
    
    "People must have known about this in the past because it seems
    like they should have" said a man in the street. "Everybody who
    believes in science trusts society" said another.


I have no idea what your post is about but from MS's perspective it isn't the site owners but MS's users around the world that are victims of thr threat actor that need protection. If it truly is a compromised site then the site owner is also a victim but as owners it is also their duty to secure and cleanup their site that is currently endangering the public.


Microsoft is not the Guardian of the World. If they take it upon themselves to act as such without being a responsible Netizen (cooperating with other site operators to provide a higher quality Net) then they are more interested in cementing their own position rather than being a part of a civilized Net.

Imagine if I just suddenly started spreading around rumors of your malfeasance and shadyness, and untrustworthyness.

It's a big deal.


They are not guarding the world but their windows users that don't use chrome but edge and IE (MS browsers) in this case, google and firefox also do this by default.

Leave it to HN to get me to defend even MS lol.


If it truly is a compromised site then the site owner needs to clean it up; but starting the sentence with "If.." doesn't make it so.

Alex Pinto's classic research into the (lack of) overlap among threat indicator feeds should be a shot across the bow; I worked with threat indicators for a decade. To fend off muppet thinking I would like to remind everybody that they're selling threat indicator feeds; nobody that I know of sells not-a-threat feeds. A false positive means a site was falsely reported as a threat [sp]; a false negative does not mean that it is good, it simply means it is omitted from the list of threats.

In my experience vendors are a lot more worred about false positives than dropping something which is a threat on the floor (false negatives in context). However, moral hazard pushes them to publish things which turn out to be false positives anyway, because at the end of the day they're selling FUD.

My network, my rules. Something doesn't have to be a threat for it to be blocked from a private network in my opinion; there are lots of reasons for that, including minimizing potential threats. Something could be hosted on stinky infrastructure, but it's unknown or hasn't been demonstrated to be a threat. Profiles for operational security vary, and so does the appetite for proactively blocking (and whitelisting necessary resources): just because it's legal doesn't mean it doesn't put me at a competitive disadvantage if people know what I'm doing. I have no problem with people sharing and discussing such indicators, but there has to be attribution to the sharer: they have a reputation to be considered with equal concern as that of the indicators they publish.

If you're going to do something public with such information, you can't point fingers at "AI" and indicators you found in a paper bag on the bus: you do that, then you own it. Saying the victim deserves it is something you'd better be prepared to defend in court.


In many of these extreme cases where it's non-obvious what is wrong, the victim IS often the one responsible.

Example: Viral video shows police pulling unarmed (and allegedly innocent) suspect out of a parked car that sparks outrage. It's later found out that the victim was previously evading police pursuit just minutes before, and was trying to blend in with the other cars in a lot.


No, because they would cause the following scenario: Malicious attacker looks for exactly what Microsoft detected, and fixes each specific detection while keep operating the undetected ones. The end result would be operational malicious site, without being detected.


The fact that Microsoft detected malware is already known, publicly.


So what? Just leave legit users in the dark because assholes exist? This type of logic needs to die. Assholes continue to exist because we enable them to by not raising the bar high enough that compromise is impractical, and no longer easy money.


People underestimate the extent to which a bunch of opaque "anti-abuse" algorithms control things. Everyone is given a risk score and if you exceed an internal threshold they will never respond to your support requests until your complaint gets on the HN frontpage. Then as justification to continue their pointless cat and mouse game the abuse department types will come in and say "well if we told you why we arbitrarily decided to <steal your money/delete your 20 year old email account/prevent you from logging in with a weird error message> then the real criminals would know how we detected them!"


In the specific scenario where they're running multiple kinds of malware on the same site, they won't know which one got detected.

Is that really something to worry about so strongly that we screw over legitimate websites?

A malicious actor can already know exactly what's detected if they run one malware at a time per site.


I believe they will if you use their vulnerability management offering it should come up with such details.

We can not expect companies to give free security advice. Secondly, providing such info without consent might result in legal actions from not so smart companies.


should? probably. But I also get, from a capitalist perspective, why they don't: they probably get enough "we swear our website is actually fine" tickets each day that they would need a sizable dedicated team to offer that kind of assistance. I don't think any of the browser vendors, Google and Mozilla included, will go to any real effort to help the reporter. At least I haven't seen them do so. I think they take the view, and I don't totally blame them, that securing your website is your problem, and they aren't going to offer security consulting for free.


They're already checking where the malware is when reviewing a report or unlisting request. The email template would need exactly one value: the URL they found.

Likely they already store this info somewhere so that the next time anyone reviews the domain, the reviewer cannot overlook it. In that case, the system could be completely automated, sending the info to the hostmaster or tech-c of the domain or something.


If they provided proof they wouldn't get "we swear our website is actually fine" tickets. Or if they did, it would be easy to resolve them: Post the proof.

If you launch a product that targets other businesses and has the capability of destroying them, you better take responsibility for that.


In this case, Microsoft "SmartScreen" is a big culprit. Just google "microsoft smartscreen false positive". Tons of support forums on this including even some product companies explaining to their users on how to unblock because of false positives. It happened to some of our customers as well and it is very difficult to explain why we cannot do much except them asking to whitelist somehow or turning off this stupid thing.


Both can be true.


This is a good suggestion to check your system carefully.

I have seen and investigated cases where malware runs for everyone except in certain locations or even excluding only the site operators.

Look for weird scripts, includes, base64 decode and exec calls in your codebase/site.


Hijacking for tangentially related question:

> It might be wise to engage a security firm to conduct an investigation if you don't have in-house expertise in this area.

Any good security firms you recommend for a small to midsize website?


Do you practice know your customer (are you required to)? Is this shared hosting? Who runs the site? Who is responsible for security? What are your assets? Any other way(s) for them to be compromised? Where are your backups; did someone get ahold of those?

What about all of the garbage that people pull in from the webs (and into their customer's browsers)? Do you know why fonts.google.com is controversial? Is some ad network participating in a watering hole attack? Got a chatbot on your payment page?

Once you have a handle on that, you can start looking for answers. If that's too much to ask, then the time to start paring down your attack surface is before there are questions.

Use hosting that provides such guarantees. Use an MxP. Don't keep customer information you don't need. What you quote is facile.


I've noticed that the people running automated flagging systems seem to become inordinately smug to the point that they believe their false positive result over all forms of external evidence. So to them you are a criminal and that's that.


I am currently in a 3 day Facebook ban because I posted an NIH (National Institute of Health, peak legitimacy right here) link which was meant to help someone understand something.

Unfortunately, the medical procedure it covered thumbnailed down (in the generated preview) to a fairly graphic photo of a woman's private parts being operated on... and that resulted in an uncontestable instaban. No humans can be reached about it, of course.

I hate automated flagging. Not only can I now not help that person on the platform in question, but I am now discouraged from even using that product further (probably not a bad thing in FB's case!)


Facebook + Google hold similar levels of power as governments over our lives, and so should adopt similar structures. An independent judiciary, review bodies, ombudsmen, aldermen, etc.


No they shouldn't, they should be broken up so they don't have that power.


"Thus solving the problem, once and for all!"


> "once and for at&t!"


Yes, because the judicial system is free of politics and nothing can ever go wrong by giving the government more power to police what can be done on private platforms.


We already hold similar levels of power. We can just not use Facebook and Google. One needs neither of these services to live a normal life.


> We already hold similar levels of power. We can just not use Facebook and Google.

Common argument. Not a great one, because some things are only available through Facebook, and not being there can complicate your in-person life significantly. But, since I'm not on Facebook, I have to admit that it's good enough for me.

> One needs neither of these services to live a normal life.

A step too far. Normal people have Facebook and use Google. One needs both of these services to live a normal life.


> A step too far. Normal people have Facebook and use Google. One needs both of these services to live a normal life.

Is this because normal peoples' utility curves maximize convenience?


After the post, there is a button to remove the preview. Is that available before posting? Or would immediately removing the preview avoid the ban? Just wondering...


Why’d you get banned over a preview that Facebook decides to show? Apparently they’re aware it’s graphic enough that they can ban you for it.


That’s a very good question


The ban was instant, mid-post. I didn’t even get to see the preview before the ban!


On Discord you can wrap the link in <> to prevent a preview.


The government desperately needs to step in and regulate these automated "destroy your business" practices.


Totally. It should be illegal for Edge, Chrome and other browsers to take any measures, such as a little warning, in an attempt protect users from malware. I see no way that getting the government involved in this could go badly.


No one implied that it should be illegal to warn anybody. However, it should be illegal to operate a large-scale service like this without offering some kind of proper communication and prompt action, which isn't unreasonable considering they're notorious for destroying someone's livelihood for no reason.

Keep in mind that the reason this happens isn't because of "faulty AI automated systems": the reason this happens is because these companies choose to save pennies by not offering proper support channels and recourse. Those saved pennies make the difference between a 2-hour outage and literally bankrupting you for no reason at all.


</sarcasm>?


I wonder what the last sentence of his comment implies.


That he understands how competent and benign government is.


I should have some way to resolve the issue outside of the automation. Barring that, I should be able to sue them libel.


Another anti-trust suit perhaps.


Yes that worked out well last time. Microsoft was broken up and they were forced to unbundled their browser from Windows.

Also, politicians never go after companies for biased reasons and we can count on the government with more power not to abuse it.


It made Microsoft sweat pretty good in the late-90s. They had to behave a little better, but not doing anything too anti-competitive, during a critical juncture of the internet's growth and adoption, while the anti-trust proceedings dragged on.

Just because there was no AT&T style divestiture at the end, doesn't mean there were no positive externalities.


I think the biggest thing that came out of that anti-trust case is the publishing of specs for various file formats and protocols used by Microsoft software.


And the duplication of... about two dozen string routines, from what I've been able to find.

The actual rendering engine was left to Windows (and to anyone who was using it, like AOL), the shell was left to IE to continue wrapping around it, and a few more things.



This mostly talks about APIs, and only briefly mentions protocols.

I don't know about the specifics of what is legally required vs what the Microsoft legal team decided to do to avoid further scrutiny. But the fact is that there's a lot of docs that were published in the aftermath of that ruling:

https://learn.microsoft.com/en-us/openspecs/protocols/ms-pro...

https://learn.microsoft.com/en-us/openspecs/data_portability...


And because of that, a million flowers bloomed and now we have dozens of browsers engines and not one dominant player controlled by a large tech company…


Without that pressure, they could have pursued a more aggressive strategy with IIS and server technologies. Outlook was only mildly annoying. They could have been much more aggressive there. Microsoft did and does a lot more than Windows and Internet Browsers.


Also I suppose companies never go after politicians for biased reasons, with legalized bribery of campaign contributions as the tool.


Yes, but no company has a “monopoly on violence” - the government does. Given a choice, a powerful government can do far more damage than Microsoft.


Who knew that the browser should have been separated fully anyway because it was a security issue?

They weren't broken up but they were anti-competitive asswipes.


See: spam blacklists


My own experience was with Wells Fargo, where I conduct quite a bit of business, but they still treated me like a criminal because their dumb AI thought that "I don't often initiate wire transfers online" and "my voice didn't sound like my age".


> "my voice didn't sound like my age"

Wow, hello marginalization! I wonder where their training data set came from.


I hate being demanded to set up voice verification. Even more annoying when the representative suggests that you active your voice despite you saying no. Voice verification is such a weak security system.


> "my voice didn't sound like my age".

Which actually should be a desirable characteristic as it is an unique identifier, but it kinda makes sense with so many 'lulzhackers' out there (not that I think this is the reason - I do attribute these issues mostly to incompetence)


If you can, take your business elsewhere…


Who does business with Wells Fargo anymore? [https://www.forbes.com/sites/eriksherman/2021/09/28/wells-fa...]


Stripe very much does.


Would like to but not so easy.


As has already been said, there's a chance that you are compromised and don't know. Obviously keep trying to contact MS, but in the mean time I'd make as much sure as you can that they don't have a legitimate beef.

If you're willing to share more details about your site such as your tech stack, we can probably give you more specific advice beyond "check your logs for weirdness and hire a consultancy firm that deals with breach detection," though that is good advice.

For what it's worth I went through something similar to this not too long ago, so I know how maddening it is. My client never found any breach (though I did find some PHP library CVE's that could have conceivably been chained together to wreak some havoc), but I ended up rebuilding their prod environment clean and the flag went away on it's own after a couple days, probably because whatever malware was in there had disappeared.


I can absolutely confirm that Edge is blocking sites based on spurious signals. One of mine is still getting a similar warning. We were given an explicit reason, namely that a form action was pointing to a different URL that looked suspicious. The URL was an API service that we also operate. I followed up with their support who said they couldn't remove the warning unless I sent a link to a page on that URL they could look at. I replied that it's an API server and does not have any pages which got no reply. Besides the fact that that's a terrible test of authenticity. We could easily apply a DNS TXT record or something but it wasn't offered as an option. MS are definitely in the wrong in my case and the only solution is to change our implementation and cross our fingers.


If MS have found a compromise they should share it. Making the allegation but not disclosing any reason is just slander.


That's not actually slander/libel. Truth is an absolute defence, and that does not require you to disclose details up front. You'd only need to demonstrate truth to defend yourself if sued.

In this case I also expect it's all very carefully worded ("Be careful! This site might be trying to harm your computer") to be legal even in cases when they accidentally (and inevitably) miscategorize a site.


Whether "truth is an absolute defence" depends on the jurisdicton. In Canada and Britain proof of truth is an absolute defence, but mere truth is no defence at all. Think about it - how much of what you say could you actually prove in a court of law?

In court and parliament, this is relaxed somewhat. But just 'cause you - say - saw a murder by X in broad daylight, doesn't mean you get to say you did anywhere you like, in Canada and Britain.

PS, yes defence is really spelled with a c in Canada. This was deliberately done historically in order to distinguish ourselves from the US long before the internet and spell-checkers.

IANAL - but then a lot of lawyers aren't much good at their game either.


> Truth is an absolute defence

Depends on jurisdiction, although I am presuming OP is from the USA due to their spelling.


Yes, sorry! Only trying to talk about my (non-professional) understanding of US libel law


Yeah maybe, but the reality is they won't. You can shake fists at MS all day long but it won't get your business up and running. Fixing the breach (if it's not a false positive of course) will. It's not right or fair, but it is reality, and you can only control your own actions.


When this happened to my software product I fixed it by purchasing a Comodo EV code signing certificate. It cost me $502, it was FedExed to me in a USB, and I signed my program. Tens of thousands of installs later, I have never had an issue with smart screen. Note that there are two types of code signing certs, you want the EV Code Signing Certificate. It will instantly give your program reputation that ends the smartscreen filter issue.

Is it a corrupt system? Pay to play? Sure. But this is a guaranteed way to solve the problem. And way cheaper and 1000x faster and less of a headache than contacting an attorney (which a surprising number of people here are recommending!)


> It cost me $502, it was FedExed to me in a USB, and I signed my program.

I’m surprised that it apparently had to be delivered physically. Did Comodo generate the private key for you?


The point is the private key is on the USB gadget and stays there. It's not a dumb USB drive.


IIRC you are able to get the cert signed to an existing HSM USB (depends on the provider tho).


Looks like protection racket.


Well, when you're driving and you get pulled over, you show your driver's license to the police and they don't arrest you for driving without a license.

It seems like asking to run code on other people's machines is a privilege, too. Unfortunately the World Wide Web has trained consumers to grant that privilege willy-nilly to every web page they visit. I am thankful that code signing and validation is ending the party in that way.


Sure, but "Pay $502 for the privilege of running code on other people's machines" doesn't seem like a big improvement?

At least to get a driver's license you need to pass a driving test, and return periodically to update the photo and pass an eye exam.


Yes, but quis custodiet ipsos custodes?

With the driver's license, the police officer can usually easily see if you've been behaving like someone who found their license in a packet of chips or not.

Does the certificate issuer perform any kind of due diligence to determine if the certificate should be given to this program?

Racket protection's determining characteristic is that the outfit can't care less what you do as long as you pay your dues and don't cross them. And if you don't, it doesn't matter how upright a citizen you are or how paranoid about safety you are, your shop will burn.


The code-signing certificate says nothing about whether the program is worthy. The code-signing certificate authenticates the publisher. That's how it's supposed to be used. The due diligence for code security is up to the publisher, because they're staking their reputation by certifying it.

The certificate authorities are separately run, by the way. I don't know how you could say Microsoft has a protection racket when they accept certificates from disparate authorities.

Code-signing certificates enable users to discern reputation. A certificate confers a reputation and not holding a certificate means an unknown reputation.

If I drive a car without a license, I can probably drive that car for years as long as I'm obeying laws and not causing trouble. A police officer who pulls me over may perhaps not ask for a license after all, but he doesn't know my reputation of obeying traffic laws; he's got to check my privilege. A driver's license in my jurisdiction carries reputation beyond just the driving privilege: infractions will rack up points.


I had problems with Windows Defender finding a false positive in the output of a product I was working on. This was an EV code signed MSI package with signed exe. This eventually inflamed SmartScreen and despite getting the thing sorted as a false positive by the AV guys it took 3 months for it to stop being flagged.

After working on Microsoft dev for ~20 years, 2019 was the last thing I touched. I handed everything else over and moved on. I will NEVER deal with that company again. Nothing but fucking shit for that entire time. The grass /is/ greener on the other side.


Have you considered that your service, unbeknownst to you, may have been compromised at some point in time, and the source of some phishing page or other malicious material?

Besides that possibility, if your business is truly being "destroyed," have you contemplated retaining counsel to escalate things with Microsoft?


Does it hurt Microsoft in any way to answer those tickets with "no, your site is participating in a phishing campaign"? And maybe tell the OP how, so that he can clean the malicious material?

And yes, that is a major defamation campaign led by Microsoft against the OP. And since MS even refuses to clarify their claim about the OP's wrongdoing, I imagine he would have an easy time in a court.


> Does it hurt Microsoft in any way to answer those tickets with "no, your site is participating in a phishing campaign"? And maybe tell the OP how, so that he can clean the malicious material?

Ye, it tells bad actors how the detection system works.


This is why well-regarded justice systems don't disclose anything about why they arrested someone and are jailing them indefinitely. It'd give criminals too much of an edge otherwise, and would surely be unworkable and lead to violent anarchy in short order.


Your tounge-in-cheek argument is focused on the wrong point.

Microsoft has no idea that you own the domain when you contact them, you are just a concerned party reaching out to them.. you could be the site owner, you could be the criminal that planted the payload.

Until it gets to the point where it is determined that you are the owner, they are correct to not give out sensitive information to random people that decide to e-mail them.


Surely you don’t consider the US to have a well regarded justice system do you?


This is irrelevant to my post. Would removing all transparency from it help, or make it worse? Are there better-regarded ones that don't reveal anything whatsoever to the accused and convicted, because that'd make it so hard to stop criminals that everything would fall apart?

[EDIT] My point is simply that somehow we manage in basically every other space to let those accused of wrongdoing know what we think they did that looked like wrongdoing, but somehow when it's an Internet giant calling the shots that's just impossible and waaaaah too hard and the sky would fall if they ever treated anyone with any amount of humanity and respect. I think it's grade-A bullshit and they've just figured out they can get away with being assholes at scale and no-one will make them stop.


There is no indication that the original poster did any type of security review to make sure that the block was justified. Let’s start there.

It’s not just the internet. No company disclosed their fraud detection techniques.


MS isn't even giving them an idea of what sort of thing they think is going on. Completely ghosting someone is way beyond not disclosing fraud detection techniques.

"We're using our enormous market power to wreck your company and won't even tell you roughly the kind of thing we think is wrong" is so unacceptable it ought to draw an application of some kind of corporate death-penalty, if it's a pattern of behavior and not just a rare accident that goes against official policy. Certainly it's, all on its own, a strong argument that there shouldn't be companies this powerful in the first place.


The OP sounds like somebody that would do a non-through, not very competent review, and not find anything.

But it doesn't matter. MS is the one telling to the entire world that his software is not reliable. They don't get to tell it all over the world without bringing some evidence.


Yeah, I don't buy this one. "Your site is participating in a phishing campaign, here is an example: $URL" doesn't tell a malicious party anything they didn't already know from the original MS warning.

In fact, I'll go further. MS owns we an explanation why they are warning on any random site. Not only the site's owner.


No it doesn't. It simply tells that the detection system _has_ worked.


Imagine that MS replies "we detected malware spreading from your site" without any other details. What is OP supposed to do then? Won't they be just as frustrated, if not more, than before?


Just "we detected malware spreading from your site" would sure narrow things down a lot. Time to inspect the web server access logs, 'diff' the site contents with a month-old backup, etc.


They should be doing exactly that anyway.


Just as all Americans should be driving at no more than the speed limit...


There is a 0% chance that a site could be spreading malware and there's not a single thing MS could point to to help out the owners find it that wouldn't leak Super Secret Advanced Mega-Genius Malware Detection Methods.

They just don't want to because that costs more money than being a huge piece of shit does.


If they tell you the steps you have to take to get off the shit list then its not hard to reverse engineer how to avoid being on the shit list.


Yes, that's how it should work.


The Catch-22 enabling "corporate responsibility shirking".


This. Also: magecart for TTPs.

OTOH it might not be. LinkedIn flagged a domain I own as malware and pointed fingers at Spamhaus. Spamhaus had it flagged, but removed the flag when I objected. Their management claimed sites which they flag did something to deserve it on LinkedIn, but never said what. (There is no malware. It's just cranky, especially to bots.) I doubt that Spamhaus' intent was that someone should publicly mark it as malware for other parties though.


Yea, the first thing I would do is rigorously determine whether the problem is actually a false positive (note: not a "false flag" which is something entirely different). Seems a bit early to jump straight to "it must be a competitor."


And yet, when we submit crapware clones of VLC repackaged, while giving extensive details about the spyware, adware and services installed, MS refuses to block them…

I love Smartscreen…


Get a lawyer. Ask for an injunction by a court. Make smartscreen liable for the damage they do to you.


Yes, poster needs to talk with a lawyer. Ideally, a company would do this on Day One of the situation.

And keep all the data you can (from Web, marketing, ads, etc.), to try to figure out and show how much this is costing you. "And here's where the hockey stick snapped in half."


Of course. As an outside party, you're not bound by Microsoft's EULA. You can go after them for defamation, tortuous interference with contract, etc. You're in a much better legal position than a customer.

This is when you have a lawyer send a letter. That's cheap. That gets your lawyer talking to Microsoft's lawyers. Most commercial disputes are, in practice, resolved that way.


You sound like a lawyer.


People talking about is it a false flag, real flag... Post your SaaS URL and you'll get a free security assessment from a dozen hners.


That's undoubtedly true, but you'll also get a lot of assholes and script kiddies hoping to pwn your site for lulz, and they often don't care who gets hurt along the way. By posting you've just given them an easy legal defense. If it were me, I wouldn't do it. Not worth the risk.

I would however, probably be willing to DM people individually after doing a small amount of due diligence on their comment history. I guess it depends on sensitivity of the site and how desperate they are.


That is such a weird take. You get assholes and script kiddies the moment your IP interface starts accepting packets. If you don't advertise to people who can help you (be it customers or potential advocates/partners) then what on earth are you doing?

I put my company's website in my HN profile. Go ahead, make my day.

(I'm not the OP and as far as I know don't have any security issues)


> you'll also get a lot of assholes and script kiddies hoping to pwn your site for lulz, and they often don't care who gets hurt along the way.

Yes... "Free security assessment" was a euphemism I'm afraid.


I encountered this, I had a cloud service that I had spun up services on with some DNS records pointing to, and then abandoned. The IP address was then used by malware, but because my DNS pointed to it, my whole domain got blacklisted.


This is risky for things other than malware blacklisting. For example, the attacker can get a certificate for your domain, and then they can access any HTTPONLY and/or SECURE cookies set at the registrable domain level and impersonate your users just by getting someone to visit their page.


This is a good point, to properly "offline" your old hostnames and IPs. I've seen many of these cases where stale DNS started pointing to $BAD_THING


how exactly does this work? I had to request that one of my server's IP address reverse mapped to the domain name. In that circumstance i could see "abandoning" that ip, and maybe it gets reused by someone i can't send a nasty letter to, but other than that, how would some subdomain on my domain pointing to an AWS IP i haven't used in a decade remotely trace back to me or my domain?

Maybe i am too tired and am missing some feature in whois or something.


I've seen someone with a similar experience to you (and also a SaaS) a few days ago: https://twitter.com/xhfloz/status/1574404009288425472

Not sure if they solved it, but might be helpful asking them.


Thanks, I'll contact them!


Do you allow user generated content at all that is internet accessible? Have you looked up your domain and IPS in virustotal and other similar services? Can users host any type of file that can be accessed without authentication?

Yes/no/yes to the above questions means that is where you should look.


We’re a web analytics product. We don’t show any user generated content. All pages (except login/signup/etc..) are behind an authwall.


I recommend two things as a minimum then:

1) Check your DNS registrar and make sure there are no new subdomains. dnsdumpster can also help a bit.

2) Check for any new files in the directory tree of public facing sites.

If you're sure all is good you just have to keep escalating with microsoft and creating new requests to remove your domain multiple times a day from different IPs and emails so you can land in the right queue eventually. Squeaky wheel and all (don't forget social media noise).


I know you probably don't want to dox yourself, but this post has a good amount of traction. It wouldn't hurt to include either contact information or the site in question, just in case someone who can do something sees this!


Oh yes! I have a desktop software and MS defender sometimes flags it as unsafe. Mostly happens after I release a new version. It scares away new users, even existing users get spooked. Have to file a report and have to send customers scan report from other scanners and convince them it's a false flag. Feel really hopeless in such a situation.


Same thing happened to us, after a week or so we just had to change subdomain of our login site. No answer was ever forthcoming on the previous domain and the new one remains unflagged months later.


I'm so sick and tired of businesses abusing my trust and/or not publishing their security breaches that I'm using plus ('+') email addresses everywhere, i.e.:

my_account+site_address@example.org

for regular interactions, or:

my_account+site_address-current_date@example.org

for one-off interactions.

Won't help with historical abuses/data breaches but it'll certainly be invaluable in the future.


About 10% of sites don't allow you to use a plus sign in your email address.


I started doing the same years ago and nothing came out of it. Most spam I got subscribed to, seemed to get my details some other way (or sanitised my email).


Same. I still do, but 90% of the spam that actually lands is due to a biz I legitimately gave info to illegitimately sharing it with others


Do you have a link to the domain? Perhaps it can be determined why it is triggering.


This happens to some of our customers (they have custom domains on our SAAS). It is beyond ridiculous.


You need to buy an EV certificate which is why many Devs complain SmartScreen made Windows Pay2Win.

But you can pay for it by implementing malware in your newly whitelisted app :D


Where can I go to test what "smartscreen" thinks of a particular URL ?

I am neither a "smartscreen" nor even a Microsoft customer - is it possible for me to see what they think of a particular domain/adress/URL ?


Go to the website in Microsoft Edge and see what happens. If there's a SmartScreen issue, you will be given a warning message.


What if it's a true flag? Your website might be compromised and serving malware.

What sort of business is it? If it's something particularly scammy, it might be being screened for that reason.


Similar thing happen to me. My OneDrive links that I share with clients end in their email spam folder. It took mi few weeks before I realized that few clients was still waiting for my work, because they did not have it in inbox.

I know that it is problem of email providers, but still I would like to leave OneDrive, but I cannot find alternative that is in similar price range as OneDrive (about 2 USD/month for 1TB).


If it's for clients, does it really matter whether you're spending $2 or $5 or $10 a month?


Yes, I'm one-man-band, not a company.


I sorted this out by buying a certificate and digitally signing the binaries. You can get it from GoDaddy, Sectigo, etc.


This happened to me too because a subdomain was the same as a popular product brand name. This was kicked off by chrome/google, then feed through to smart screen. Which took a few days to sort out. Had to claim the domain on google search tools and find the reason


Do you have any scripts loading that might be malicious / triggering a flag? What's the website?


The answer is in your logs. If there are no logs, Microsoft know your site better than you do.


Are you in the same competitive space as MS? If so you shouldn’t act surprised.


I'm having the same issue, but it's Xfinity blocking my site from their business customers. The official contact form seems to be a sinkhole. It's beyond frustrating. I feel maligned and defamed.


Would it be possible to hire a lawyer to send them a letter notifying them you intend to sue for defamation of character?


Microsoft SmartScreen is a broken product staffed by presumably broken people.

[edit] buy a cert like the smart people are saying


Weaponized flagging is totally a thing on Amazon, so I wouldn't be surprised if with SmartScreen, too.


Is your login page vulnerable to an Open Redirect?

Run your page against OWASP top 10. You might find something


Good luck getting them to care


[flagged]


> Too many Microsoft shills here.

Can you quote one of the shills? I see people saying that OP should verify that it's a false flag. Are those the shills to whom you're referring?


Given the second sentence of 'Microsoft should be able to state exactly what is wrong.', then they probably mean these:

https://news.ycombinator.com/item?id=33037323

https://news.ycombinator.com/item?id=33037211

And these ones showed up right after they posted:

https://news.ycombinator.com/item?id=33037364

https://news.ycombinator.com/item?id=33037349

Edit: actually that first one was after they posted too? So their comment may not have been accurate the second they made it, but three comments defending microsoft's secrecy showed up in the next five minutes.


All of those comments seem pretty reasonable to me. Does that make me a shill too?


Look at most of the replies here. "Nuh uh, it's you. You have failed to check the obvious..."

It inspires paranoia I tell you.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: