"logincdn.msauth.net" being identified as "Phishing"

Hi Kevin, 

we're experiencing an issue quite similar to yours where our customers receive certificate warnings for logincdn.msauth.net as shown in the screenshot. 
I'm uncertain about the cause of this issue but i doubt we are the only ones with this problem.

PS. I've checked the policy Helpdesk and it Shows Phishing/Malicious with both Pattern-Version 186284 and 186286

We had a user experience the exact same thing today. Same logincdn.msauth.net website and the certificate name matches our UTM proxy cert, however the issued date is incorrect. Also the really odd part is we are not using HTTPS scanning, so the proxy cert was never deployed to endpoints.

Hi JeffK,

the behavior is normal. Even when the webfilter is working with no active SSL decryption the default setting is to check https pages against the category filter.

The block page of the UTM is shown (or at least tried to be shown) in https, so that is the cause why the https certificate of the UTM is shown to the client which here complains about an untrusted certificate. Even with installed CA certificate the connection would have been blocked.

Real failure here is the wrong categorization of the Microsoft URL.

Yes you can create an exception for the thousands of O365 URLs and then Office would have worked normal. But I would really appreciate if Sophos would stop false-positiving the Microsoft URLs instead.

Hi,

I'd same issue last 2 days.

I've updated my UTMs last night from 9.605-1 to 9.703-3. It also updated pattern to version 186317. Now it works fine.