Jump to content

MSOffice mrodevicemgr.officeapps.live.com blocked for phishing


Recommended Posts

I have suddenly started getting messages from NOD32 regarding blocked access to a Microsoft URL  mrodevicemgr.officeapps.live.com

Does anyone know if this is really a phishing problem? Does blocking it upset MSOffice? 

The URL is listed by Microsoft here @ https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

The full message I'm getting (from the log, so not pretty) is:

Time;URL;Status;Application;User;IP address;SHA1
04/02/2020 10:01:06;https://mrodevicemgr.officeapps.live.com;Blocked by Anti-Phishing blacklist;C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe;ORWELL\willi;52.109.76.40;24F5E9F445912D05C05A45AB17E11FBDFAAF2FBC
 

 

Link to post
Share on other sites

We are getting this issue on multiple endpoints on Endpoint Security, 83 occurrences on my PC alone in 36 hours. Paste from the log below

Time;Account;Group;URL;Matching URL;Category;Action performed
07/02/2020 11:50:21;NT AUTHORITY\SYSTEM;NT AUTHORITY\SYSTEM;https://mrodevicemgr.officeapps.live.com;mrodevicemgr.officeapps.live.com;Malware Distribution Point;Blocked by policy
 

 

Link to post
Share on other sites

We're getting same warning since yesterday:

 

More details
Hash
0000000000000000000000000000000071374470
Uniform Resource Identifier (URI)
https://mrodevicemgr.officeapps.live.com
Process name
C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.12430.20184\OfficeClickToRun.exe
Event
An attempt to connect to URL
Rule
Blocked by Web control
Scanner
HTTP filter
Target address
52.109.76.40
Link to post
Share on other sites
  • Administrators

You can upload them here. Attachments can be accessed only by ESET staff. Alternatively you can upload them to OneDrive, Dropbox, etc. and drop me a personal message with a download link.

Link to post
Share on other sites
  • Administrators

Thank you. The address is categorized as malicious by Web Control. We have reported miscategorization to the provider of the url categorization database. In the mean time, creating a Web Control permissive rule and moving it on top of other Web Control rules should do the trick:

image.png

Link to post
Share on other sites
  • Administrators
12 minutes ago, Bugra Ceylan said:

Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed?

It seems the url categorization provider has already fixed it. Now it may take up to 24 hours for the database to get updated on our servers.

Link to post
Share on other sites

I am getting the same kind of repeat blocking with the message below. I think it might be blocking some of my files from updating to the Office 365 cloud.This happened today, several times.

Time;URL;Status;Application;User;IP address;SHA1
11/02/2020 18:21:01;https://mrodevicemgr.officeapps.live.com;Blocked by Parental control;C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe;DESKTOP-4MPP8AU\Windows;52.109.76.40;B772F61DD32164D43333AE54E17A3C88184E733B

 

Would appreciate some clarity about this

Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...