As has already been said, there's a chance that you are compromised and don't know. Obviously keep trying to contact MS, but in the mean time I'd make as much sure as you can that they don't have a legitimate beef.
If you're willing to share more details about your site such as your tech stack, we can probably give you more specific advice beyond "check your logs for weirdness and hire a consultancy firm that deals with breach detection," though that is good advice.
For what it's worth I went through something similar to this not too long ago, so I know how maddening it is. My client never found any breach (though I did find some PHP library CVE's that could have conceivably been chained together to wreak some havoc), but I ended up rebuilding their prod environment clean and the flag went away on it's own after a couple days, probably because whatever malware was in there had disappeared.
I can absolutely confirm that Edge is blocking sites based on spurious signals. One of mine is still getting a similar warning. We were given an explicit reason, namely that a form action was pointing to a different URL that looked suspicious. The URL was an API service that we also operate. I followed up with their support who said they couldn't remove the warning unless I sent a link to a page on that URL they could look at. I replied that it's an API server and does not have any pages which got no reply. Besides the fact that that's a terrible test of authenticity. We could easily apply a DNS TXT record or something but it wasn't offered as an option. MS are definitely in the wrong in my case and the only solution is to change our implementation and cross our fingers.
That's not actually slander/libel. Truth is an absolute defence, and that does not require you to disclose details up front. You'd only need to demonstrate truth to defend yourself if sued.
In this case I also expect it's all very carefully worded ("Be careful! This site might be trying to harm your computer") to be legal even in cases when they accidentally (and inevitably) miscategorize a site.
Whether "truth is an absolute defence" depends on the jurisdicton. In Canada and Britain proof of truth is an absolute defence, but mere truth is no defence at all. Think about it - how much of what you say could you actually prove in a court of law?
In court and parliament, this is relaxed somewhat. But just 'cause you - say - saw a murder by X in broad daylight, doesn't mean you get to say you did anywhere you like, in Canada and Britain.
PS, yes defence is really spelled with a c in Canada. This was deliberately done historically in order to distinguish ourselves from the US long before the internet and spell-checkers.
IANAL - but then a lot of lawyers aren't much good at their game either.
Yeah maybe, but the reality is they won't. You can shake fists at MS all day long but it won't get your business up and running. Fixing the breach (if it's not a false positive of course) will. It's not right or fair, but it is reality, and you can only control your own actions.
If you're willing to share more details about your site such as your tech stack, we can probably give you more specific advice beyond "check your logs for weirdness and hire a consultancy firm that deals with breach detection," though that is good advice.
For what it's worth I went through something similar to this not too long ago, so I know how maddening it is. My client never found any breach (though I did find some PHP library CVE's that could have conceivably been chained together to wreak some havoc), but I ended up rebuilding their prod environment clean and the flag went away on it's own after a couple days, probably because whatever malware was in there had disappeared.