Microsoft is stating the service is restored and they are working on cleanup
Microsoft has identified that the recent addition of multiple safe URLs to the SafeLinks feature caused the URL click logging service False Positive configuration rule to incorrectly begin generating false positive records to the O365 alerting service. These alerts were then delivered to O365 admins as notifications of a potentially malicious URL click action from a user.
Microsoft has reverted these additions and confirmed that O365 admins are no longer receiving the false activity alerts. Microsoft is working to mark all false positive alerts as resolved and are building a full list of URLs associated with these alerts; however, Microsoft has found that a large amount of them originated from URL clicks directing to Zoom.us domains. O365 Admins may dismiss any of the alerts from this domain.
Start time: Wednesday, March 29, 2023, 2:00 AM (7:00 AM UTC)
End time: Wednesday, March 29, 2023, 12:15 PM (5:15 PM UTC)
Microsoft 365 Defender Incident ID DZ534539 Title: O365 Admins are receiving false alerts that malicious URLs have been clicked
User impact: O365 Admins may be receiving false alerts that malicious URLs have been clicked.
More info: Specifically, the alert emails refer to 'A potentially malicious URL click was detected'. Additionally, O365 admins may be unable to view alert details using the 'View alerts' link in the emails or in the Microsoft Defender portal.
This issue does not prevent the user from accessing the legitimate URL.
Current status: Microsoft has confirmed that the false positive alerts are generated when a O365 user clicks on a legitimate URL, as the legitimate link is being incorrectly marked as a malicious. This issue does not prevent the user from accessing the legitimate URL. Microsoft is reviewing network trace logs and diagnostic data related to URL reputation, to better understand which part of the service is incorrectly identifying the URL as malicious.
Scope of impact: Impact is specific to any O365 admin served through the affected O365 infrastructure.