Office 365 Advanced Threat Protection is flagging my Firebase Authentication emails

Question

I have just today realised that the authorisation emails sent from my perfectly legitimate Firebase backend are being flagged as malicious by Microsoft Outlook's "Advanced Threat Protection"

There is no reason for this other than perhaps it was flagged during development due to me sending myself repeated confirmation emails in order to test the functionality.

This warning does not show up in regular hotmail/outlook accounts, but I am an Office 365 subscriber so it appears as though I am lucky enough to get this "advanced" protection which protects me from my own completely non-malicious website.

Should I contact Microsoft or Firebase for a solution?

Thanks a lot!

Update: I contacted Firebase support and received the following:

My name is XXXX from Firebase Support, thank you for reaching out to us, problems on Microsoft services such as this “Advanced Threat Protection” is not in my area or expertise, I would suggest to open a ticket with Microsoft for this issue, I see that there is already a topic on Stack Overflow, please be sure to check other Firebase community channels as well.

I understand that this isn't Google's problem to solve, but it would seem any Firebase app using email verification is going to run into trouble with Microsoft email systems. Which is a lot of corporate and government systems...

Any suggestions on how to get some attention paid to this from either Google or Microsoft?

Answer 1

Cause

This error is caused by having inconsistent domains in the email. By default, user management emails link to the default action handler, which is a web page hosted at a URL in your project's Firebase Hosting domain ([project].firebaseapp.com), rather than the the same domain you may be sending emails from ([email protected]).

Solution Make this “action link” go directly to your website. This will solve the outlook warning, and also make it less likely you'll end up in spam filters in general. On your website, you have 2 options for how to handle the actual validation.

Both solutions below require your domain to be authorized.

This can be done under Authentication -> Sign-In Providers -> Authorized Domains

Option 1 - Use Custom Email Action Handlers (Hard option)

You can setup a custom email action handler so that these actions take place directly on your website, rather than on the firebase hosted page. This is a more integrated experience.

This can handle

• Resetting passwords
• Revoking email address changes—when users change their accounts' primary email addresses, Firebase sends an email to their old addresses that allow them to undo the change
• Verifying email addresses

1. Create your custom email handler page

custom email action handler page - firebase docs

2. Update Email Template In Firebase

This can be done under Authentication -> Templates -> Email Address Verification -> Customize Action URL

Option 2 - Just Redirect (Easy option)

Link the email back to a page on your website, that will immediately perform a javascript redirect to the [project].firebaseapp.com authentication page, carrying through the URL parameters required to perform necessary verifications and changes.

For Example

• action url for email template: https://www.yourdomain.com/account-action (firebase will attach the appropriate params to the url automatically)
• Javascript redirect on your website goes to ”https://project-name.firebaseapp.com/__/auth/action?” + params

I recommend ensuring you implement the continueUrl in your verification email delivery so that the user can easily get back to your website.