Login/Register
Office 365 Advanced Threat Protection is flagging my Firebase Authentication emails
Asked Answered
Solved firebaseoutlookfirebase-authenticationoffice365ms-office
I

2

11

I have just today realised that the authorisation emails sent from my perfectly legitimate Firebase backend are being flagged as malicious by Microsoft Outlook's "Advanced Threat Protection"

enter image description here

There is no reason for this other than perhaps it was flagged during development due to me sending myself repeated confirmation emails in order to test the functionality.

This warning does not show up in regular hotmail/outlook accounts, but I am an Office 365 subscriber so it appears as though I am lucky enough to get this "advanced" protection which protects me from my own completely non-malicious website.

Should I contact Microsoft or Firebase for a solution?

Thanks a lot!

Update: I contacted Firebase support and received the following:

My name is XXXX from Firebase Support, thank you for reaching out to us, problems on Microsoft services such as this “Advanced Threat Protection” is not in my area or expertise, I would suggest to open a ticket with Microsoft for this issue, I see that there is already a topic on Stack Overflow, please be sure to check other Firebase community channels as well.

I understand that this isn't Google's problem to solve, but it would seem any Firebase app using email verification is going to run into trouble with Microsoft email systems. Which is a lot of corporate and government systems...

Any suggestions on how to get some attention paid to this from either Google or Microsoft?

Ivaivah answered 4/10, 2018 at 0:37 Comment(2)
I have the same issue...ATP seems to be quite broad in its net...this discussion documents many disgruntled IT admins and email users trying to understand ATP's logic: answers.microsoft.com/en-us/msoffice/forum/…. Can we get some help from Firebase or the community? This issue will get everyone using Firebase for auth with customers at O365 organizations.Shortcoming
Apologies...I edited your question (I didn't know you could do that) instead of using some other method to update with my Firebase support results...feel free to edit away or suggest I put it somewhere else (!).Shortcoming
C
7

Cause

This error is caused by having inconsistent domains in the email. By default, user management emails link to the default action handler, which is a web page hosted at a URL in your project's Firebase Hosting domain ([project].firebaseapp.com), rather than the the same domain you may be sending emails from ([email protected]).

Solution Make this “action link” go directly to your website. This will solve the outlook warning, and also make it less likely you'll end up in spam filters in general. On your website, you have 2 options for how to handle the actual validation.

Both solutions below require your domain to be authorized.

This can be done under Authentication -> Sign-In Providers -> Authorized Domains

Option 1 - Use Custom Email Action Handlers (Hard option)

You can setup a custom email action handler so that these actions take place directly on your website, rather than on the firebase hosted page. This is a more integrated experience.

This can handle

  • Resetting passwords
  • Revoking email address changes—when users change their accounts' primary email addresses, Firebase sends an email to their old addresses that allow them to undo the change
  • Verifying email addresses

1. Create your custom email handler page

custom email action handler page - firebase docs

2. Update Email Template In Firebase

This can be done under Authentication -> Templates -> Email Address Verification -> Customize Action URL

Option 2 - Just Redirect (Easy option)

Link the email back to a page on your website, that will immediately perform a javascript redirect to the [project].firebaseapp.com authentication page, carrying through the URL parameters required to perform necessary verifications and changes.

For Example

  • action url for email template: https://www.yourdomain.com/account-action (firebase will attach the appropriate params to the url automatically)
  • Javascript redirect on your website goes to ”https://project-name.firebaseapp.com/__/auth/action?” + params

I recommend ensuring you implement the continueUrl in your verification email delivery so that the user can easily get back to your website.

Celom answered 21/11, 2018 at 22:22 Comment(0)
K
-1

If you're using Firebase hosting, and you're serving from their built-in your-project.web.app address, then you can simply use the other built-in, your-project.firebaseapp.com, as your site address instead -- no configuration needed.

The .web.app address is a bit sexier, but the various action emails are actually sent from the .firebaseapp.com, and Outlook is suspicious of the mismatch. Having users originate from the .firebaseapp.com address solves the issue.

I opened a GitHub issue about this: https://github.com/firebase/firebase-js-sdk/issues/5021][1]

Kreit answered 12/6, 2021 at 18:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.