Microsoft SmartScreen is destroying our business

Very important that you develop complete confidence that there isn't anything wrong with your product. It's not uncommon, in fact it's very common, for compromise kits for websites to take measures to avoid detection. A common one is only serving the malicious content when a specific referrer is present (I've seen this be Yahoo Search in the case of compromised Drupal installations multiple times, not really sure why). It might be wise to engage a security firm to conduct an investigation if you don't have in-house expertise in this area. You should definitely review logs carefully for any unusual inbound traffic. Sometimes looking up your own domain on services like virustotal can reveal the problem, as it might turn up samples of malware retrieved from your website.

I say this because I have been involved in this exact situation multiple times: website flagged by some or other security service, website operator has no idea why and insists it is fine, website turns out to be serving the landing page of a major pharma scam campaign unnoticed by the website operator due to anti-detection measures.

I've noticed that the people running automated flagging systems seem to become inordinately smug to the point that they believe their false positive result over all forms of external evidence. So to them you are a criminal and that's that.

As has already been said, there's a chance that you are compromised and don't know. Obviously keep trying to contact MS, but in the mean time I'd make as much sure as you can that they don't have a legitimate beef.

If you're willing to share more details about your site such as your tech stack, we can probably give you more specific advice beyond "check your logs for weirdness and hire a consultancy firm that deals with breach detection," though that is good advice.

For what it's worth I went through something similar to this not too long ago, so I know how maddening it is. My client never found any breach (though I did find some PHP library CVE's that could have conceivably been chained together to wreak some havoc), but I ended up rebuilding their prod environment clean and the flag went away on it's own after a couple days, probably because whatever malware was in there had disappeared.

When this happened to my software product I fixed it by purchasing a Comodo EV code signing certificate. It cost me $502, it was FedExed to me in a USB, and I signed my program. Tens of thousands of installs later, I have never had an issue with smart screen. Note that there are two types of code signing certs, you want the EV Code Signing Certificate. It will instantly give your program reputation that ends the smartscreen filter issue.

Is it a corrupt system? Pay to play? Sure. But this is a guaranteed way to solve the problem. And way cheaper and 1000x faster and less of a headache than contacting an attorney (which a surprising number of people here are recommending!)

I had problems with Windows Defender finding a false positive in the output of a product I was working on. This was an EV code signed MSI package with signed exe. This eventually inflamed SmartScreen and despite getting the thing sorted as a false positive by the AV guys it took 3 months for it to stop being flagged.

After working on Microsoft dev for ~20 years, 2019 was the last thing I touched. I handed everything else over and moved on. I will NEVER deal with that company again. Nothing but fucking shit for that entire time. The grass /is/ greener on the other side.

Have you considered that your service, unbeknownst to you, may have been compromised at some point in time, and the source of some phishing page or other malicious material?

Besides that possibility, if your business is truly being "destroyed," have you contemplated retaining counsel to escalate things with Microsoft?

And yet, when we submit crapware clones of VLC repackaged, while giving extensive details about the spyware, adware and services installed, MS refuses to block them…

I love Smartscreen…

Get a lawyer. Ask for an injunction by a court. Make smartscreen liable for the damage they do to you.

People talking about is it a false flag, real flag... Post your SaaS URL and you'll get a free security assessment from a dozen hners.

I encountered this, I had a cloud service that I had spun up services on with some DNS records pointing to, and then abandoned. The IP address was then used by malware, but because my DNS pointed to it, my whole domain got blacklisted.

I've seen someone with a similar experience to you (and also a SaaS) a few days ago: https://twitter.com/xhfloz/status/1574404009288425472

Not sure if they solved it, but might be helpful asking them.

Do you allow user generated content at all that is internet accessible? Have you looked up your domain and IPS in virustotal and other similar services? Can users host any type of file that can be accessed without authentication?

Yes/no/yes to the above questions means that is where you should look.

I know you probably don't want to dox yourself, but this post has a good amount of traction. It wouldn't hurt to include either contact information or the site in question, just in case someone who can do something sees this!

Oh yes! I have a desktop software and MS defender sometimes flags it as unsafe. Mostly happens after I release a new version. It scares away new users, even existing users get spooked. Have to file a report and have to send customers scan report from other scanners and convince them it's a false flag. Feel really hopeless in such a situation.

Same thing happened to us, after a week or so we just had to change subdomain of our login site. No answer was ever forthcoming on the previous domain and the new one remains unflagged months later.

I'm so sick and tired of businesses abusing my trust and/or not publishing their security breaches that I'm using plus ('+') email addresses everywhere, i.e.:

my_account+site_address@example.org

for regular interactions, or:

my_account+site_address-current_date@example.org

for one-off interactions.

Won't help with historical abuses/data breaches but it'll certainly be invaluable in the future.

Do you have a link to the domain? Perhaps it can be determined why it is triggering.

This happens to some of our customers (they have custom domains on our SAAS). It is beyond ridiculous.

You need to buy an EV certificate which is why many Devs complain SmartScreen made Windows Pay2Win.

But you can pay for it by implementing malware in your newly whitelisted app :D

Where can I go to test what "smartscreen" thinks of a particular URL ?

I am neither a "smartscreen" nor even a Microsoft customer - is it possible for me to see what they think of a particular domain/adress/URL ?

What if it's a true flag? Your website might be compromised and serving malware.

What sort of business is it? If it's something particularly scammy, it might be being screened for that reason.

Similar thing happen to me. My OneDrive links that I share with clients end in their email spam folder. It took mi few weeks before I realized that few clients was still waiting for my work, because they did not have it in inbox.

I know that it is problem of email providers, but still I would like to leave OneDrive, but I cannot find alternative that is in similar price range as OneDrive (about 2 USD/month for 1TB).

I sorted this out by buying a certificate and digitally signing the binaries. You can get it from GoDaddy, Sectigo, etc.

This happened to me too because a subdomain was the same as a popular product brand name. This was kicked off by chrome/google, then feed through to smart screen. Which took a few days to sort out. Had to claim the domain on google search tools and find the reason

Do you have any scripts loading that might be malicious / triggering a flag? What's the website?

The answer is in your logs. If there are no logs, Microsoft know your site better than you do.

Are you in the same competitive space as MS? If so you shouldn’t act surprised.

I'm having the same issue, but it's Xfinity blocking my site from their business customers. The official contact form seems to be a sinkhole. It's beyond frustrating. I feel maligned and defamed.

Would it be possible to hire a lawyer to send them a letter notifying them you intend to sue for defamation of character?

Microsoft SmartScreen is a broken product staffed by presumably broken people.

[edit] buy a cert like the smart people are saying

Weaponized flagging is totally a thing on Amazon, so I wouldn't be surprised if with SmartScreen, too.

Is your login page vulnerable to an Open Redirect?

Run your page against OWASP top 10. You might find something

Good luck getting them to care

Look at most of the replies here. "Nuh uh, it's you. You have failed to check the obvious..."

It inspires paranoia I tell you.