Meraki Firewall False Positive Triggers Microsoft 365 Outage

Did you experience trouble connecting to Exchange Online, Microsoft Teams, Outlook desktop clients, and OneDrive for Business this week?

According to Microsoft, it was only the EMEA region (Europe, Middle East & Africa) that was affected, but users across the globe reported trouble making connections to the abovementioned programs and affected infrastructure. Microsoft 365 tweeted out updates over the week, including that their investigation was focused on why potentially legitimate traffic was being blocked. 

An employee at Cisco Meraki announced on Wednesday that a vulnerability reported by Microsoft was triggering “SNORT rule 1-60381”. Microsoft CVE-2022-35748 is a DoS vulnerability reported by Microsoft on August 9th that triggered a Microsoft 365 “Microsoft Windows IIS denial-of-service attempt” alert on Intrusion Detection and Prevention (IDR) devices, such as the Cisco Meraki firewall. This false positive recognition of the CVE caused the firewalls to block legitimate traffic between these Microsoft programs. 

SNORT was just doing its job and correctly detected the CVE. SNORT rules are a methodology for performing detection. Unlike signatures, these rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data. 

Cisco Meraki disabled the affected rule and recommended that users follow Microsoft’s advice and be sure to update Servers, OS and software with the latest security patches. 

June and July have been eventful months for Microsoft. They experienced a couple of outages including a Microsoft 365 outage caused by a faulty ECS deployment, and Microsoft Teams and 365 outages caused by a broken connection to an internal storage service.  An admin center in North America was knocked out from the outages.

If Microsoft is vulnerable to problems in the cyber sphere, so are we. Be proactive and undertake a comprehensive cyber risk assessment today.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Skip to content