Microsoft 'Safelinks' (Defender) breaks links.

Question

Microsoft 'Safelinks' (Defender) breaks links.

Opened this issue 3 years ago · 4 comments

When a client uses a service like Microsoft's 'SafeLinks', one-use login links are broken. It seems that they effectively get used up by a GET to HEAD request that the link checking service does. Here's some more info on another product having the same issue: FusionAuth/fusionauth-issues#629 (and loads of other repos referencing that issue too).

Anyone found a way around this with this package? Presumably it would have the same impact on Laravel's bundled email verification.

Answer 1 · 2022-03-29T19:34:40.000Z

Does it use an identifiable user agent when it checks the links? If so, we could instruct the package to ignore that user agent when deciding whether to expire a single use link.

Answer 2 · 2022-05-31T18:47:59.000Z

Example of the user agent:

{
   "ip":"20.72.100.79",
   "agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
}

Answer 3 · 2022-12-05T11:50:54.000Z

This has come back, with a vengeance 😅 - It seems more recent versions of Outlook or Defender or something, are pre-checking links a lot more now.

For us, the user-agent is always blank it seem (from request logs) and the IP's vary, as you'd expect I suppose, but do seem to be in the same class B subnet:

104.47.1.254
104.47.30.126
104.47.2.254
104.47.59.254
104.47.66.126
104.47.55.254

Further investigations, and thoughts about how to get around this are ongoing, and I'll update here if I find something useful.

Answer 4 · 2024-06-27T11:45:34.000Z

@meredevelopment Heyo! It's been some time, so I doubt you'll answer me, but- did you ever figure out a solution?