Microsoft Defender SmartScreen reporting US OAuth URL as unsafe

Our case has been processed by Microsoft and the OAuth authorization URL https://app.cronofy.com/oauth/authorize is no longer being flagged as unsafe.

Microsoft Defender SmartScreen continues to flag the OAuth authorization URL https://app.cronofy.com/oauth/authorize as unsafe.

We are still yet to receive a non-automated response from Microsoft having submitted a second owner dispute since the last update.

At this point we are still attempting to go through the proper channels, but are starting to consider our options for workarounds that do not involve end-users having to bypass a warning dialog they should generally be paying attention to.

A workaround exists in that users appear to be able to refresh the page when they hit the warning and the page then functions as normal. Using a browser other than Microsoft Edge also serves as a workaround to this issue.

We would like to repeat our request that our customers initiate their own calendar OAuth flows in Microsoft Edge and see if they are shown a warning. If so, can you click the "More information" link and then "Report that this site doesn't contain phishing threats" and fill out the form. This can only help our case get in front of the correct people at Microsoft for resolution.

Microsoft Defender SmartScreen continues to flag the OAuth authorization URL https://app.cronofy.com/oauth/authorize as unsafe.

We are yet to hear back from Microsoft regarding our dispute of this classification.

We do not wish to make changes that could be seen as attempting to bypass this protective mechanism as that is what a nefarious actor would do, potentially leading to the entire domain being flagged. We are instead attempting to go through the proper process to get the classification corrected, but this does mean the time line is out of our hands.

Users appear to be able to refresh the page when they hit the warning and the page then functions as normal. Using a browser other than Microsoft Edge also serves as a workaround to this issue.

We would like to request that our customers initiate their own calendar OAuth flows in Microsoft Edge and see if they are shown a warning. If so, can you click the "More information" link and then "Report that this site doesn't contain phishing threats" and fill out the form. This should help our case get in front of the correct people at Microsoft for resolution.

Microsoft Defender SmartScreen is still flagging the OAuth authorization URL https://app.cronofy.com/oauth/authorize as unsafe.

We first received a report of this on Thursday evening, and it is potentially related to a recent release of Microsoft Edge https://blogs.windows.com/msedgedev/2022/09/29/more-reliable-web-defense/

We have identified an application in development mode which may have been being used as part of a phishing scam. Using Cronofy's domain as a trust-worthy starting point but redirecting on to an untrustworth redirect URI after the user has granted access to their calendar. We have disabled this application and made our warning that an application in development mode much more prominent to discourage the use of development mode applications in this way.

We have reached out to the SmartScreen team for an update and let them know our findings and actions so far.

We have been unable to find a workaround for the false negative with Microsoft Defender SmartScreen. We have been able to verify that it is only affecting Microsoft Edge users visiting the `/oauth/authorize` for the US data center, though attempts to alter the behavior in non-breaking ways have not cleared the error.

Our telemetry has confirmed that the scale of the impact is very small.

Customers using Microsoft Edge to authorize calendars will see the warning, though refreshing the page will clear it, as will choosing to Continue to the page.

We are awaiting a response from Microsoft regarding our request to verify the affected URL.

Users of other web browsers continue to be unaffected.

We have had reports of Microsoft Defender SmartScreen within Microsoft's Edge browser flagging some OAuth flows as being from an unsafe site.

We obviously believe this to be a false-negative and have reported this to Microsoft.

If users refresh the page Edge will allow users to continue without any warning.

Based on this workaround being simple and indicative of the domain as a whole not being deemed untrustworthy, we are investigating if there is anything we can do to avoid this false-negative from our side.