Microsoft Defender SmartScreen reporting US OAuth URL as unsafe
Incident Report for Cronofy
Resolved
Late Thursday 29th September we received the first report of Microsoft Defender SmartScreen within Microsoft's Edge browser flagging our US OAuth flow endpoint (https://app.cronofy.com/oauth/authorize) as being an unsafe site. On Friday 30th September this was flagged to our engineering team who were able to reproduce this issue, submitted a dispute to Microsoft being the site owner, and opened this incident.

Though we obviously believed this to be an incorrect classification, we investigated why we may have been flagged in the first place whilst we awaited a response from Microsoft.

During this investigation identified an application in development mode which may have been being used as part of a phishing scam. Our guess is that they were using Cronofy's domain as a trust-worthy starting point but redirecting on to an untrustworth redirect URI after the user has granted access to their calendar. For applications in development mode we allow any redirect URI to be used to ease development, but display a warning that the application is not verified to users.

It seems that users were ignoring this warning and proceeding to go through our OAuth flow to connect their calendar before being redirected on to a site posing as a financial service.

We disabled the specific application and made our warning that an application is in development mode much more prominent to discourage the use of development mode applications in this way, including ensuring the warning was translated for all the locales the page supports.

We had yet to hear from Microsoft, but we updated our ticket with Microsoft to let them know our finding and actions taken.

At this point we were waiting on Microsoft to process our case. We did not wish to make changes that could be seen as attempting to bypass this protective mechanism as that is what a nefarious actor would do, potentially leading to the entire domain being flagged. Instead we waited on going through the proper process to get the classification corrected.

We discussed potential actions to circumvent the block in case we were left with no choice to give our integrators an option that would not require their users performing a workaround involving ignoring a warning from their browser which should be legitimate the vast majority of the time.

After a week of waiting we submitted a second case to Microsoft in case the first was somehow lost. Yesterday, Wednesday 12th October, we resorted to reaching out to people on social media and managed to get the attention of someone on the Microsoft Edge team who was able to get our case actioned and the flag was removed.

Our US OAuth flow endpoint has not been flagged for over 12 hours now so we consider this incident resolved. We are in contact with Microsoft to better understand why we were flagged in first place to prevent similar incidents, and how we might get to a faster resolution if it happens again.

Finally, thankyou to everyone who helped us by submitting a report that our site had been flagged incorrectly.
Posted Oct 13, 2022 - 08:47 UTC
Monitoring
Our case has been processed by Microsoft and the OAuth authorization URL https://app.cronofy.com/oauth/authorize is no longer being flagged as unsafe.
Posted Oct 12, 2022 - 15:43 UTC
Update
Microsoft Defender SmartScreen continues to flag the OAuth authorization URL https://app.cronofy.com/oauth/authorize as unsafe.

We are still yet to receive a non-automated response from Microsoft having submitted a second owner dispute since the last update.

At this point we are still attempting to go through the proper channels, but are starting to consider our options for workarounds that do not involve end-users having to bypass a warning dialog they should generally be paying attention to.

A workaround exists in that users appear to be able to refresh the page when they hit the warning and the page then functions as normal. Using a browser other than Microsoft Edge also serves as a workaround to this issue.

We would like to repeat our request that our customers initiate their own calendar OAuth flows in Microsoft Edge and see if they are shown a warning. If so, can you click the "More information" link and then "Report that this site doesn't contain phishing threats" and fill out the form. This can only help our case get in front of the correct people at Microsoft for resolution.
Posted Oct 12, 2022 - 13:06 UTC
Update
Microsoft Defender SmartScreen continues to flag the OAuth authorization URL https://app.cronofy.com/oauth/authorize as unsafe.

We are yet to hear back from Microsoft regarding our dispute of this classification.

We do not wish to make changes that could be seen as attempting to bypass this protective mechanism as that is what a nefarious actor would do, potentially leading to the entire domain being flagged. We are instead attempting to go through the proper process to get the classification corrected, but this does mean the time line is out of our hands.

Users appear to be able to refresh the page when they hit the warning and the page then functions as normal. Using a browser other than Microsoft Edge also serves as a workaround to this issue.

We would like to request that our customers initiate their own calendar OAuth flows in Microsoft Edge and see if they are shown a warning. If so, can you click the "More information" link and then "Report that this site doesn't contain phishing threats" and fill out the form. This should help our case get in front of the correct people at Microsoft for resolution.
Posted Oct 03, 2022 - 16:26 UTC
Update
Microsoft Defender SmartScreen is still flagging the OAuth authorization URL https://app.cronofy.com/oauth/authorize as unsafe.

We first received a report of this on Thursday evening, and it is potentially related to a recent release of Microsoft Edge https://blogs.windows.com/msedgedev/2022/09/29/more-reliable-web-defense/

We have identified an application in development mode which may have been being used as part of a phishing scam. Using Cronofy's domain as a trust-worthy starting point but redirecting on to an untrustworth redirect URI after the user has granted access to their calendar. We have disabled this application and made our warning that an application in development mode much more prominent to discourage the use of development mode applications in this way.

We have reached out to the SmartScreen team for an update and let them know our findings and actions so far.
Posted Oct 01, 2022 - 11:07 UTC
Update
We have been unable to find a workaround for the false negative with Microsoft Defender SmartScreen. We have been able to verify that it is only affecting Microsoft Edge users visiting the `/oauth/authorize` for the US data center, though attempts to alter the behavior in non-breaking ways have not cleared the error.

Our telemetry has confirmed that the scale of the impact is very small.

Customers using Microsoft Edge to authorize calendars will see the warning, though refreshing the page will clear it, as will choosing to Continue to the page.

We are awaiting a response from Microsoft regarding our request to verify the affected URL.

Users of other web browsers continue to be unaffected.
Posted Sep 30, 2022 - 14:47 UTC
Investigating
We have had reports of Microsoft Defender SmartScreen within Microsoft's Edge browser flagging some OAuth flows as being from an unsafe site.

We obviously believe this to be a false-negative and have reported this to Microsoft.

If users refresh the page Edge will allow users to continue without any warning.

Based on this workaround being simple and indicative of the domain as a whole not being deemed untrustworthy, we are investigating if there is anything we can do to avoid this false-negative from our side.
Posted Sep 30, 2022 - 10:25 UTC
This incident affected: API.