Jump to content
William Hudson

MSOffice mrodevicemgr.officeapps.live.com blocked for phishing

Recommended Posts

I have suddenly started getting messages from NOD32 regarding blocked access to a Microsoft URL  mrodevicemgr.officeapps.live.com

Does anyone know if this is really a phishing problem? Does blocking it upset MSOffice? 

The URL is listed by Microsoft here @ https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

The full message I'm getting (from the log, so not pretty) is:

Time;URL;Status;Application;User;IP address;SHA1
04/02/2020 10:01:06;https://mrodevicemgr.officeapps.live.com;Blocked by Anti-Phishing blacklist;C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe;ORWELL\willi;52.109.76.40;24F5E9F445912D05C05A45AB17E11FBDFAAF2FBC
 

 

Share this post


Link to post
Share on other sites

It was a 3rd party FP, it's fixed now and we have also whitelisted the live.com domain to prevent similar FPs in the future.

Share this post


Link to post
Share on other sites

We are getting this issue on multiple endpoints on Endpoint Security, 83 occurrences on my PC alone in 36 hours. Paste from the log below

Time;Account;Group;URL;Matching URL;Category;Action performed
07/02/2020 11:50:21;NT AUTHORITY\SYSTEM;NT AUTHORITY\SYSTEM;https://mrodevicemgr.officeapps.live.com;mrodevicemgr.officeapps.live.com;Malware Distribution Point;Blocked by policy
 

 

Share this post


Link to post
Share on other sites

The hostname has been reclassified. It may take several hours for the change to take effect.

Share this post


Link to post
Share on other sites

I'm still getting multiple block notifications on the grounds of Parental Control for this URL on full blown ESET.

Is this correct or is this going to be fixed????

ESET is fully up to date............

Share this post


Link to post
Share on other sites

It was not a problem of Parental Control. The IP range is already whitelisted. Please post the appropriate records from logs.

Share this post


Link to post
Share on other sites

We're getting same warning since yesterday:

 

More details
Hash
0000000000000000000000000000000071374470
Uniform Resource Identifier (URI)
https://mrodevicemgr.officeapps.live.com
Process name
C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.12430.20184\OfficeClickToRun.exe
Event
An attempt to connect to URL
Rule
Blocked by Web control
Scanner
HTTP filter
Target address
52.109.76.40

Share this post


Link to post
Share on other sites

I have the same problem, sometimes more times a day, what do i have to do about it?

Share this post


Link to post
Share on other sites
27 minutes ago, Marcos said:

Please provide ESET Log Collector logs from such machine. Neither the hostname nor IP address appears to be blocked.

Where can I upload my logs securely? 

Share this post


Link to post
Share on other sites

You can upload them here. Attachments can be accessed only by ESET staff. Alternatively you can upload them to OneDrive, Dropbox, etc. and drop me a personal message with a download link.

Share this post


Link to post
Share on other sites

Thank you. The address is categorized as malicious by Web Control. We have reported miscategorization to the provider of the url categorization database. In the mean time, creating a Web Control permissive rule and moving it on top of other Web Control rules should do the trick:

image.png

Share this post


Link to post
Share on other sites

Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed?

Share this post


Link to post
Share on other sites
12 minutes ago, Bugra Ceylan said:

Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed?

It seems the url categorization provider has already fixed it. Now it may take up to 24 hours for the database to get updated on our servers.

Share this post


Link to post
Share on other sites

I am getting the same kind of repeat blocking with the message below. I think it might be blocking some of my files from updating to the Office 365 cloud.This happened today, several times.

Time;URL;Status;Application;User;IP address;SHA1
11/02/2020 18:21:01;https://mrodevicemgr.officeapps.live.com;Blocked by Parental control;C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe;DESKTOP-4MPP8AU\Windows;52.109.76.40;B772F61DD32164D43333AE54E17A3C88184E733B

 

Would appreciate some clarity about this

Share this post


Link to post
Share on other sites

The date in your log is from Feb 11. Does the problem persist?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...