Update - Microsoft Defender SmartScreen continues to flag the OAuth authorization URL https://app.cronofy.com/oauth/authorize as unsafe.
We are yet to hear back from Microsoft regarding our dispute of this classification.
We do not wish to make changes that could be seen as attempting to bypass this protective mechanism as that is what a nefarious actor would do, potentially leading to the entire domain being flagged. We are instead attempting to go through the proper process to get the classification corrected, but this does mean the time line is out of our hands.
Users appear to be able to refresh the page when they hit the warning and the page then functions as normal. Using a browser other than Microsoft Edge also serves as a workaround to this issue.
We would like to request that our customers initiate their own calendar OAuth flows in Microsoft Edge and see if they are shown a warning. If so, can you click the "More information" link and then "Report that this site doesn't contain phishing threats" and fill out the form. This should help our case get in front of the correct people at Microsoft for resolution.
Oct 03, 2022 - 17:26 BST
We are yet to hear back from Microsoft regarding our dispute of this classification.
We do not wish to make changes that could be seen as attempting to bypass this protective mechanism as that is what a nefarious actor would do, potentially leading to the entire domain being flagged. We are instead attempting to go through the proper process to get the classification corrected, but this does mean the time line is out of our hands.
Users appear to be able to refresh the page when they hit the warning and the page then functions as normal. Using a browser other than Microsoft Edge also serves as a workaround to this issue.
We would like to request that our customers initiate their own calendar OAuth flows in Microsoft Edge and see if they are shown a warning. If so, can you click the "More information" link and then "Report that this site doesn't contain phishing threats" and fill out the form. This should help our case get in front of the correct people at Microsoft for resolution.
Oct 03, 2022 - 17:26 BST
Update - Microsoft Defender SmartScreen is still flagging the OAuth authorization URL https://app.cronofy.com/oauth/authorize as unsafe.
We first received a report of this on Thursday evening, and it is potentially related to a recent release of Microsoft Edge https://blogs.windows.com/msedgedev/2022/09/29/more-reliable-web-defense/
We have identified an application in development mode which may have been being used as part of a phishing scam. Using Cronofy's domain as a trust-worthy starting point but redirecting on to an untrustworth redirect URI after the user has granted access to their calendar. We have disabled this application and made our warning that an application in development mode much more prominent to discourage the use of development mode applications in this way.
We have reached out to the SmartScreen team for an update and let them know our findings and actions so far.
Oct 01, 2022 - 12:07 BST
We first received a report of this on Thursday evening, and it is potentially related to a recent release of Microsoft Edge https://blogs.windows.com/msedgedev/2022/09/29/more-reliable-web-defense/
We have identified an application in development mode which may have been being used as part of a phishing scam. Using Cronofy's domain as a trust-worthy starting point but redirecting on to an untrustworth redirect URI after the user has granted access to their calendar. We have disabled this application and made our warning that an application in development mode much more prominent to discourage the use of development mode applications in this way.
We have reached out to the SmartScreen team for an update and let them know our findings and actions so far.
Oct 01, 2022 - 12:07 BST
Update - We have been unable to find a workaround for the false negative with Microsoft Defender SmartScreen. We have been able to verify that it is only affecting Microsoft Edge users visiting the `/oauth/authorize` for the US data center, though attempts to alter the behavior in non-breaking ways have not cleared the error.
Our telemetry has confirmed that the scale of the impact is very small.
Customers using Microsoft Edge to authorize calendars will see the warning, though refreshing the page will clear it, as will choosing to Continue to the page.
We are awaiting a response from Microsoft regarding our request to verify the affected URL.
Users of other web browsers continue to be unaffected.
Sep 30, 2022 - 15:47 BST
Our telemetry has confirmed that the scale of the impact is very small.
Customers using Microsoft Edge to authorize calendars will see the warning, though refreshing the page will clear it, as will choosing to Continue to the page.
We are awaiting a response from Microsoft regarding our request to verify the affected URL.
Users of other web browsers continue to be unaffected.
Sep 30, 2022 - 15:47 BST
Investigating - We have had reports of Microsoft Defender SmartScreen within Microsoft's Edge browser flagging some OAuth flows as being from an unsafe site.
We obviously believe this to be a false-negative and have reported this to Microsoft.
If users refresh the page Edge will allow users to continue without any warning.
Based on this workaround being simple and indicative of the domain as a whole not being deemed untrustworthy, we are investigating if there is anything we can do to avoid this false-negative from our side.
Sep 30, 2022 - 11:25 BST
We obviously believe this to be a false-negative and have reported this to Microsoft.
If users refresh the page Edge will allow users to continue without any warning.
Based on this workaround being simple and indicative of the domain as a whole not being deemed untrustworthy, we are investigating if there is anything we can do to avoid this false-negative from our side.
Sep 30, 2022 - 11:25 BST
API
Operational
Background Processing
Operational
Developer Dashboard
Operational
Scheduler
Operational
Major Calendar Providers
Operational
Apple
Operational
Google
Operational
Microsoft 365
Operational
Outlook.com
Operational
Conferencing Services
Operational
GoTo
Operational
Zoom
Operational
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance