Jump to content

Our Domain Was Blocked


ShareVision

Recommended Posts

Hi There,

We are ShareVision, a SaaS app provider that services human services organizations primarily in Canada. Part of what our app does is provide the ability to send email alerts to users about important things that are logged in the app. We use the SendGrid service to send 10s of thousands of emails per day. On Tuesday, a bad actor managed to hack one of our API keys and start sending phishing messages as us. We in conjunction with SendGrid shut down our email and switched out the API key and we are now back up and running and the messages are no longer being sent. Unfortunately this has caused your app to block our domain and flag it as a phishing risk as well as reporting that there is an issue with our SSL certificate. Nothing has changed with our certificate and it is completely valid. Based on the fact that we have mitigated the issue we would like to know what we need to do to get unblocked by your app. 

Thanks

Link to post
Share on other sites

All of our sites have a different subdomain. One customer that reported the issue is at

https://cscl2.sharevision.ca

 They said any attempt to connect to any url at that domain was blocked with this message: 

image.png.b941f946815493b3ce8df798c287a11a.png

We have other customers report the issue as well. Do you need all subdomains? (There are hundreds).

Edited by TeMerc
Disabled live link(s)
  • Thanks 1
Link to post
Share on other sites

7 minutes ago, ShareVision said:

OK thank you for looking into it.

I am not looking into anything. I just noticed you gave no info for the staff to act on.

8 minutes ago, ShareVision said:

Can you elaborate on the process and potential timeline? 

Usually within 12-24 hours. Usually sooner.

Link to post
Share on other sites

Checking in on this request. I was just talking with a customer that is using the cloud version of your software and they are not able to whitelist our domain which means that they can't access their system without turning off your software. That does seem to be in anybody's best interest. Can anyone at Malwarebytes let us know where we are at with this so I can pass it on to my customers?

Thanks in advance

Link to post
Share on other sites

  • Staff
On 9/19/2024 at 11:57 AM, ShareVision said:

All of our sites have a different subdomain. One customer that reported the issue is at

https://cscl2.sharevision.ca

 They said any attempt to connect to any url at that domain was blocked with this message: 

image.png.b941f946815493b3ce8df798c287a11a.png

We have other customers report the issue as well. Do you need all subdomains? (There are hundreds).

Hello-Multiple freshly detected urls the last day or so: VirusTotal - Domain - url2866.sharevision.ca

image.thumb.png.d4b869dcbb51def3b278a2c0f696a087.png

Link to post
Share on other sites

Hi and thanks for responding. These urls are generated by Gmail when a person clicks on a link in an email. My understanding is that the url is based on the sender's domain which in this case was one of ours. We have worked extensively with SendGrid who is our email provider and they have confirmed that no more phishing messages with this link have been sent since the 17th. These detections are just people who received the message finally getting around to clicking the link in the messages that were sent. We do not have a subdomain "url2866", this is autogenerated by the gmail application when a user clicks on a link in gmail that was sent by us. What do you suggest that we do in this situation? Is there anyway you can restrict the blacklist to just that subdomain so our customers get back to work? 

Link to post
Share on other sites

Apologies, I now realize that these urls are created by the SendGrid click tracking service. In either case, the emails have already been sent and there is nothing we can do about people clicking on them at this point. We are very much open to suggestions as to how to rectify the situation. Thanks for any insight you can provide. 

Link to post
Share on other sites

Hi Again,

We are still having many issues reported where the blocking of our entire domain is preventing users from accessing our application. As mentioned previously, the subdomain "url2866" was removed on Saturday. Can I please have an update on why we are still being blocked?

Link to post
Share on other sites

  • Staff
17 minutes ago, ShareVision said:

Hi Again,

We are still having many issues reported where the blocking of our entire domain is preventing users from accessing our application. As mentioned previously, the subdomain "url2866" was removed on Saturday. Can I please have an update on why we are still being blocked?

Thanks for the updated info, VT still showing some detected urls as live but for the most part they appear 404 and their latency is kind of slow so we've unblocked the sub domain, thanks for your patience.

Link to post
Share on other sites

  • TeMerc locked this topic
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.