Outlook.com login blocked by Malwarebytes

Topic

New Reply

When I try to go to http://www.outlook.com and click the “Sign In” button (next to the beautiful woman) it briefly flashes the MS sign in line and then Malwarebytes flashes that it is blocking website as contains Malware.
<p id=”mbbgb-website”><span id=”mbbgb-blocktype-sentence”>”Page blocked:</span> <span id=”mbbgb-site-name”>https://logincdn.msauth.net/16.000.29158.8/images/favicon.ico</span></p&gt;

<h4 id=”mbbgb-block-description”>Malwarebytes Browser Guard blocked this website because it may contain malware activity.”</h4>
Now if I go to Chrome and do the same thing (Chrome also has the Malwarebytes browser guard extension) I do not get the blocked message.

The link off the Sign In button on both browsers is https://outlook.live.com/owa/?nlp=1

Any ideas as I do not want to login into email and pick up malware.

This just started today as I log in everyday and no previous problems. I also ran a scan and no malware found on Win 10 21H1 home and Aug updates installed a week ago.

Reply | Quote

Replies

Your original url is http: – It needs to be a secure connection https:

1 user thanked author for this post.

J9438

Reply | Quote

I tried my Win 8.1 machine and I do not get the block on either Edge or Chrome. Both browsers have the Malwarebytes Browser Guard. This is looking like either MS has a problem with their Edge/Outlook address resolution or a genuine hack into their sign in address. Or maybe they changed the address on Edge Win 10 and Malwarebytes has not picked it up as genuine??

Reply | Quote

I am able to logon with Edge on Win10. Can you disable Malwarebytes Browser Guard for that site? If not, can you disable it completely to test the logon?

--Joe

1 user thanked author for this post.

J9438

Reply | Quote

PKCano wrote:

Your original url is http: – It needs to be a secure connection https:

I am not typing htt… On the Edge address bar I just type “www.outlook…” but the Woody site is changing it to http://&#8230;) and then that displays the MS outlook page with 2 boxes at top, Premium and Sign In with the address line now showing “outlook.live.com/owa/” and then I click the Sign In box which briefly displays the normal screen to put in the user id and then Malwarebytes jump in.

Incidentally on my Win 8.1 PC it now also is showing the Malwarebytes warning on just Edge.

joep517 wrote:

If not, can you disable it completely to test the logon?

I could but then it would go straight through to the bad page that Malwarebytes is warning against so I might be picking up the malware.

 

Reply | Quote

You guys are going to think I am crazy but now it is working without the Malware warning. Ahhh!!

The normal sign in box points to the address (“https://outlook.live.com/owa/?nlp=1&#8221;) which brings up the normal MS screen where you put in your user id but earlier that sign in box pulled up the address I listed above, (“https://logincdn.msauth&#8230;..”).

Perhaps MS was trying to move the sign in to a different location and threw that out to some sign in’s as a Beta test?? and now changed it back??

Note I had to put (“..”) around the addresses because the Woody site converts my (“www.outlook.com”) without the parens/quotes to (“http://www.outlook.com&#8221;) as PKCano above was seeing. And Woody site is also adding those #numbers after what I have actually typed even with the quotes???

Reply | Quote

Apparently from more Google searching that logincdn.msauth causes a lot of script errors on various MS logins with fixes offered on Google. So again sounds like MS was trying to switch the outlook login in from the current to this other login site. I wish someone from MS that knows what this is would comment as to why I was directed to that site from my normal sign in which normally directs to (login.live.com/login.srf?……….)

Reply | Quote

Have you tried reporting this on the Malwarebytes forum?

I found them most helpful with a recent update that clashed badly with my Office 2010 apps.  I don’t see whether you are a paid-up user.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

1 user thanked author for this post.

J9438

Reply | Quote

Everything working fine today so whether that was the MS website changing their address resolution or a Malwarebytes error, someone fixed it.

PKCano wrote:

Your original url is http:

Also to clarify when I originally typed my post I typed “www” followed by “.outlook” followed by “.com” and either Edge or the Woody site changed that to a hyperlink “http://www.outlook.com&#8221; in a blue color when I submitted the post. That is kind of like EXCEL where you type something and EXCEL thinks it is web address and converts it to a hyperlink and puts that on your spreadsheet in a different color, which can be very irritating if that is not what you want to display as in this case.

Same thing again as I did not type the &#8221 after .com

Reply | Quote

forget it!

Reply | Quote

ScotchJohn wrote:

Have you tried reporting this on the Malwarebytes forum?

Nope, just using the free version but seriously thinking about going with the premium. Since using free I was not sure if they would be that anxious to investigate and especially since it is now not happening. Also was not sure if I should report on MS community but having to go there and create another id/password is time consuming and from reading it before not sure if it really  helps from some of the complaints.

Reply | Quote

Hi J9428:

See the 22-Sep-2021 topic MWB Browser Guard- False +ve or Hidden Malware?! in the Malwarebytes Browser Guard for Chrome forum. According to staffer gonzo’s 23-Sep-2021 reply <here> in that thread the problem was fixed by Malwarebytes (his 22-Sep-2021 post in Blocking Outlook.com Sign-in states they simply whitelisted the URL), and if the block persists then users should disable and re-enable Malwarebytes Browser Guard to clear the cache used by this extension.

1 user thanked author for this post.

J9438

Reply | Quote

lmacri wrote:

the problem was fixed by Malwarebytes

Many, many thanks for that information. So Malwarebytes was the culprit.

Interesting, too, several months ago I had exactly the same thing on EXXON’s Web site trying to register for their rewards card. I could not understand how such a well respected retail could have malware on their sign up site, but now it makes since it was Malwarebytes doing the same thing. Makes me wonder if they are doing this to scare you into getting their premium product?? That along with the problem I just had with their payment system activating my bank’s fraud alert, https://www.askwoody.com/forums/topic/malwarebytes-credit-card-error/

I no longer am going to get their premium product.

 

Reply | Quote

Hi J9428:

To be fair to Malwarebytes, it wasn’t their fault that Microsoft changed the URL for their secure login authentications this week. Malwarebytes Browser Guard / Malwarebytes Premium Web Protection did what it was supposed to do – it detected users being re-directed to a previously unknown URL and blocked the connection. Once that false positive detection was reported to Malwarebytes the new URL was whitelisted within a day. As employee gonzo noted <here>, improvements are still required to the way the Malwarebytes Browser Guard extension uses cached data, but their browser extension detected the URL change for the authentication as it was designed to do.

I’ve run Malwarebytes Premium in real-time protection mode along with my primary antivirus (Norton Security on my Vista SP2 machine, Microsoft Defender on my Win 10 machine) for over a decade, and added Malwarebytes Browser Guard to both my Firefox and MS Edge browsers a few years ago (note that I also use a reputable ad blocker like uBlock Origin or Adblock Plus in my browsers).  The Web Protection module of Malwarebytes Premium has prevented the download of a handful of PUPs (potentially unwanted programs like adware, browser hijackers, etc.) and blocked connections to some unsafe sites that were missed by my Norton antivirus, so I’m personally willing to tolerate a few extra false positive detections as long as Malwarebytes continues to fix them quickly once they are reported in their False Positives forum board. I wasn’t affected by the Microsoft login authentication block you reported in this thread because the false positive block of the URL was fixed by Malwarebytes before I was even aware of the problem.

I should also mention that I purchased a lifetime/perpetual license for Malwarebytes Premium over a decade ago (the sale of these lifetime licenses were discontinued in March 2014) so I don’t have to pay an annual subscription for this product. If I didn’t have this lifetime license I suspect I would simply install Malwarebytes Browser Guard in my browsers for the additional web protection and then run the occasional on-demand Threat Scan with Malwarebytes Free every week or so just to look for any PUPs or malware missed by my primary antivirus.
———–
64-bit Win 10 Pro v21H1 build 19043.1237 * Firefox v92.0.1 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.6.132-1.0.1453 * MS Office Home and Business 2019 C2R v2108 (build 14326.20404)

1 user thanked author for this post.

J9438

Reply | Quote

lmacri wrote:

To be fair to Malwarebytes

That is what I like about Woody – you get all sides of issues.

Thanks for clarifying as your first comment

lmacri wrote:

the problem was fixed by Malwarebytes

led me to believe it was completely their fault, but I did see the re-directed sign on address which MS did, which indicates both parties at fault. I am still confused if MS pulled the re-direct first and went back to the original sign in address or did Malwarebytes just accept the re-direct (what you call whitelist)? As soon as it cleared up for me it was back to the original sign in link.

With your Malwarebytes experience listed above you have convinced me they do have a good and reliable product. My only remaining concern is with their payment system (that was probably different when you got yours a decade ago). My bank had NEVER flagged one of my credit purchases in over a decade so when they do flag one I consider it very SERIOUS. The 3rd party system Malwarebytes used and also the Malware rep, both, told me on the phone that company does payments for lots of companies. However, my bank apparently has suspicions as the bank rep said the flag was because the origin was probably China where they have received lots of fraudulent transactions.

So before I pay for Malwarebytes I would like to see them use a different, less suspicious payment system provider. I was in a quandary as I did not want to approve the transaction so my bank would no longer flag transactions from that provider and thus leave me open to future fraud transactions with no alerts. How about using Woody’s payment provider??

Again thanks for an excellent viewpoint!

Reply | Quote

J9438 wrote:

…I am still confused if MS pulled the re-direct first and went back to the original sign in address or did Malwarebytes just accept the re-direct (what you call whitelist)? As soon as it cleared up for me it was back to the original sign in link…

Hi J9438:

Just guess on my part, but given the URL that was blocked ended with …\image\favicon.ico I’m guessing that Microsoft changed the favicon (an image file displayed on the browser’s tab often used for branding or identifying a website) for their login authentication page. Favicons have been used in the past to hide malicious code (see the 2020 Malwarebytes Labs blog Credit Card Skimmer Masquerades as Favicon) and it’s possible that Malwarebytes Browser Guard / Malwarebytes Premium Web Protection noticed the change in one of the favicons used by Microsoft and temporarily blocked the URL until Malwarebytes could confirm that the new favicon was legitimate and free of malware.

Malwarebytes defines a whitelist as “a list of resources and destinations that we decided to trust“. For example the malware (virus) definitions that are updated daily for your antivirus are essentially a database of SHA-256 hashes (unique digital fingerprints – see the sample calculator <here>) of .exe and other executable files that are known to be safe. Once the executable of an application is “whitelisted” (i.e., the SHA-256 hash is added to the list of safe files) then it can be downloaded and allowed to run on your computer without any interference from your antivirus. Every time an update is released for an application the SHA-256 hash of its executable(s) changes, and once the updated executable is re-tested and shown to be safe the new SHA-256 hash must be added to the whitelist. Whitelists can also be used for website blocking, where a specific range of IP addresses, domain names or URLs that are known to be safe are added to a whitelist to ensure that incoming and outgoing server connections are only allowed for safe web sites.

1 user thanked author for this post.

J9438

Reply | Quote

Thanks, Imacri

Very interesting. No wonder there can be a short time period before everything is synced up.

And the block on mine was brief and then okay again.

When companies are changing something like this I don’t know why they cannot put a temporary banner on the sign on page (kind of like the COVID banner I see on so many websites) just to let you know something might be temporarily wrong.

Reply | Quote