MSOffice mrodevicemgr.officeapps.live.com blocked for phishing

[William Hudson 0]

I have suddenly started getting messages from NOD32 regarding blocked access to a Microsoft URL  mrodevicemgr.officeapps.live.com

Does anyone know if this is really a phishing problem? Does blocking it upset MSOffice? 

The URL is listed by Microsoft here @ https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

The full message I'm getting (from the log, so not pretty) is:

Time;URL;Status;Application;User;IP address;SHA1
04/02/2020 10:01:06;https://mrodevicemgr.officeapps.live.com;Blocked by Anti-Phishing blacklist;C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe;ORWELL\willi;52.109.76.40;24F5E9F445912D05C05A45AB17E11FBDFAAF2FBC
 

 

[Marcos 5,070]

It was a 3rd party FP, it's fixed now and we have also whitelisted the live.com domain to prevent similar FPs in the future.

[William Hudson 0]

Great, thanks for your speedy handling of this.

[carl.henry 0]

We are getting this issue on multiple endpoints on Endpoint Security, 83 occurrences on my PC alone in 36 hours. Paste from the log below

Time;Account;Group;URL;Matching URL;Category;Action performed
07/02/2020 11:50:21;NT AUTHORITY\SYSTEM;NT AUTHORITY\SYSTEM;https://mrodevicemgr.officeapps.live.com;mrodevicemgr.officeapps.live.com;Malware Distribution Point;Blocked by policy
 

 

[Marcos 5,070]

The hostname has been reclassified. It may take several hours for the change to take effect.

[BigKevRobbo 0]

I'm still getting multiple block notifications on the grounds of Parental Control for this URL on full blown ESET.

Is this correct or is this going to be fixed????

ESET is fully up to date............

[Marcos 5,070]

It was not a problem of Parental Control. The IP range is already whitelisted. Please post the appropriate records from logs.

[Bugra Ceylan 0]

We're getting same warning since yesterday:

 

More details

Hash

0000000000000000000000000000000071374470

Uniform Resource Identifier (URI)

https://mrodevicemgr.officeapps.live.com

Process name

C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.12430.20184\OfficeClickToRun.exe

Event

An attempt to connect to URL

Rule

Blocked by Web control

Scanner

HTTP filter

Target address

52.109.76.40

[MartijnH 0]

I have the same problem, sometimes more times a day, what do i have to do about it?

[Marcos 5,070]

Please provide ELC logs from such machine. Neither the hostname nor IP address appears to be blocked.

[Bugra Ceylan 0]

27 minutes ago, Marcos said:

Please provide ESET Log Collector logs from such machine. Neither the hostname nor IP address appears to be blocked.

Where can I upload my logs securely? 

[Marcos 5,070]

You can upload them here. Attachments can be accessed only by ESET staff. Alternatively you can upload them to OneDrive, Dropbox, etc. and drop me a personal message with a download link.

[Bugra Ceylan 0]

Thanks Marcos, I just uploaded my logs here.

ees_logs.zip

[Marcos 5,070]

Thank you. The address is categorized as malicious by Web Control. We have reported miscategorization to the provider of the url categorization database. In the mean time, creating a Web Control permissive rule and moving it on top of other Web Control rules should do the trick:

[Bugra Ceylan 0]

Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed?

[Marcos 5,070]

12 minutes ago, Bugra Ceylan said:

Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed?

It seems the url categorization provider has already fixed it. Now it may take up to 24 hours for the database to get updated on our servers.

[pwatts2 0]

I am getting the same kind of repeat blocking with the message below. I think it might be blocking some of my files from updating to the Office 365 cloud.This happened today, several times.

Time;URL;Status;Application;User;IP address;SHA1
11/02/2020 18:21:01;https://mrodevicemgr.officeapps.live.com;Blocked by Parental control;C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe;DESKTOP-4MPP8AU\Windows;52.109.76.40;B772F61DD32164D43333AE54E17A3C88184E733B

 

Would appreciate some clarity about this

[Marcos 5,070]

The date in your log is from Feb 11. Does the problem persist?