Tocmail Inc. v. Microsoft Corp.
| Decision Date | 21 December 2021 |
| Docket Number | CASE NO. 20-60416-CIV-CANNON/Hunt |
| Citation | 576 F.Supp.3d 1220 |
| Parties | TOCMAIL INC., Plaintiff, v. MICROSOFT CORPORATION, Defendant. |
| Court | U.S. District Court — Southern District of Florida |
Joshua David Martin, Johnson & Martin, P.A., Fort Lauderdale, FL, for Plaintiff.
Evelyn Anne Cobos, Francisco Oscar Sanchez, Greenberg Traurig, P.A., Miami, FL, Mary-Olga Lovett, Pro Hac Vice, Rene Trevino, Pro Hac Vice, Greenberg Traurig LLC, Houston, TX, for Defendant.
ORDER GRANTING DEFENDANT'S MOTION FOR SUMMARY JUDGMENT
THIS CAUSE comes before the Court upon Plaintiff's Motion for Summary Judgment ("Plaintiff's Motion") [ECF No. 96] and Defendant's Motion for Summary Judgment ("Defendant's Motion") [ECF No. 98]. The Court has reviewed Plaintiff's Motion, Defendant's Motion, and the full record [ECF Nos. 95, 97, 100, 109, 110, 111, 112, 114, 115, 116, 117]. Upon careful review, Plaintiff's Motion for Summary Judgment is DENIED , and Defendant's Motion for Summary Judgment is GRANTED .
This case involves alleged false or misleading advertising under the Lanham Act based on Microsoft's promotion of its cybersecurity software. The material facts viewed in the light most favorable to Plaintiff as the non-moving party are as follows.
Plaintiff TocMail Inc. ("TocMail") filed this suit against Microsoft Corporation ("Microsoft") seeking injunctive relief and damages for alleged violations of the Lanham Act, 15 U.S.C. § 1125(a)(1)(B), for false or misleading advertising of its link scanning service, Safe Links [ECF No. 42 ¶ 106]. Microsoft's allegedly deceptive ads are detailed further below. See infra pp. 1224–25.
Safe Links is a cybersecurity feature within Microsoft's cloud-based email filtering service that was originally named "Advanced Threat Protection" ("ATP") and later renamed "Microsoft Defender for Office 365" ("Defender") [ECF No. 95]. Defender generally provides anti-phishing and anti-malware protection, among other things [ECF No. 100 ¶ 9; ECF No. 110 ¶ 9]. Microsoft introduced Safe Links in 2015, alongside another service called Safe Attachments, as a service that protects users from malicious URLs [ECF No. 95 ¶ 2; ECF No. 97 ¶ 1; ECF No. 100 ¶ 1]. The term URL refers to a link to a website within a document that takes users to a particular online web address [ECF No. 97 ¶ 3; ECF No. 112 ¶ 3]. Safe Links began as a reputation service that checks URLs against a list of known malicious links [ECF No. 97 ¶ 2; ECF No. 112 ¶ 2]. Microsoft later added another capability to Safe Links called URL detonation, which analyzes the web content linked to by the URL to "determine whether that website is good or bad" [ECF No. 97 ¶¶ 7–8; ECF No. 112 ¶¶ 7–8; ECF No. 97-15; ECF No. 97-6 pp. 5:3–20, 11:22–23]. Links that pass through the reputation check then go to the detonation service for analysis [ECF No. 97 ¶ 8; ECF No. 112 ¶ 8]. Microsoft internally refers to its detonation service as "Sonar" [ECF No. 97 ¶ 8; ECF No. 112 ¶ 8]. Together, reputation and detonation "are the two primary components" of Safe Links [ECF No. 97 ¶ 8; ECF No. 112 ¶ 8]. Microsoft internally refers to instances where its detonation check wrongly classifies a malicious link as benign as a "false negative" or "FN" [ECF No. 97 ¶ 9; ECF No. 112 ¶ 9].
Hackers use various forms of "evasion"—techniques that disguise malicious content and make it appear benign—to circumvent cybersecurity software [ECF No. 110-1 p. 7:3–8; ECF No. 112 ¶ 6; ECF No. 116 ¶ 6]. Microsoft has identified several broad types of evasion, including sandbox evasion, app level evasion (or browser-based evasion), geo evasion, time delayed evasion (or time-based evasion), human based evasion, and IP evasion (also sometimes referred to as network evasion) [ECF No. 110-1 p. 7:13–22; ECF No. 97-20 pp. 3, 20; ECF No. 97-53 p. 2 ()]. IP evasion means that phishing URLs use the visitor's IP address to determine whether that visitor is a human user or security software and then display different content accordingly [ECF No. 97 ¶ 11 ( ); ECF No. 112 ¶ 11]. Attackers then send benign content to the security scanner and malicious content to the intended victims [ECF No. 97 ¶ 11; ECF No. 112 ¶ 11]. IP evasion is "a common tactic" that attackers use today [ECF No. 97 ¶ 12; ECF No. 112 ¶ 12]. TocMail uses the term "IP cloaking" for what Microsoft calls IP evasion; those terms are interchangeable [ECF No. 97 ¶ 11; ECF No. 112 ¶ 11].
Microsoft staff were aware of the existence of IP evasion in 2016 and even as early as 2010 [ECF No. 97 ¶ 15; ECF No. 112 ¶ 15]. Safe Links is not 100% effective against malicious URLs using IP evasion [ECF No. 100 ¶ 6]. A slide from a March 2017 internal Microsoft titled "Why does detonation have false negatives?" identified IP evasion as an issue [ECF No. 97-37 p. 42 ( )]. Microsoft recognized that IP evasion was a problem for Safe Links, particularly around 2018 as phishing attacks using IP evasion "started escalating" [ECF No. 97-6 p. 17:21–25]. For example, an internal Microsoft email sent on June 28, 2018 describes a recent incident where Safe Links did not detect a malicious URL sent to a client's CEO that used "IP based evasion" [ECF No. 97-41 p. 3]. The email adds that "[t]his was also called out by the Sonar Analyst team as one of the top reasons for [false negatives]," and that "in the case of a targeted attack[,] it is easy for an attacker to only display malicious content in specific targeted IP ranges" [ECF No. 97-41 p. 3]. In November 2018, Microsoft launched a new feature within Safe Links called IP Anonymization [ECF No. 97 ¶ 28; ECF No. 112 ¶ 12]. IP Anonymization was intended to help counteract IP evasion by routing detonation web traffic through third-party IP addresses [ECF No. 100 ¶ 5]. IP evasion is a topic that sometimes came up between Microsoft and customers, with at least one customer asking "[w]hy is an IP-address range used which is easily attributable to Microsoft?" [ECF No. 97-90 p. 5]. According to Microsoft's internal "talking points" for a meeting with that customer, Microsoft's response included discussion of IP Anonymization as a partial solution within Microsoft's "layered defense" approach to evasion [ECF No. 97-90 pp. 5, 8–9].
In December 2019, TocMail's namesake product, "TocMail"—a cloud-based, email security service that competes with Safe Links—became available for purchase [ECF No. 95 ¶ 4; ECF No. 97 ¶ 43; ECF No. 95-5, p. 5].
Microsoft promoted its Safe Links service through various brochures, product guides, and other promotional materials [ECF No. 97 ¶¶ 44–51; ECF No. 100 ¶ 14]. At issue in this case are three messages promoting Safe Links [ECF No. 42 ¶¶ 56–75].
The first message promoting Safe Links, which appears in both video and print, states:
Sophisticated attackers will plan to ensure links pass through the first round of security filters. They do this by making the links benign, only to weaponize them after the message is delivered, altering the destination of the links to a malicious site.... With Safe Links, we are able to protect users right at the point of click by checking the link for reputation and triggering detonation if necessary.
The second message promoting Safe Links, which appears on Microsoft's website, blog, and ATP Product guide, provides:
EOP scans each message in transit in Office 365 and provides time of delivery protection, blocking any malicious hyperlinks in a message. But attackers sometimes try to hide malicious URLs within seemingly safe links that are redirected to unsafe sites by a forwarding service after the message has been received. The ATP Safe Links feature proactively protects your users if they click such a link. That protection remains every time they click the link, so malicious links are dynamically blocked while good links can be accessed.
[ECF No. 97-1 p. 2; ECF No. 97-36 p. 6; ECF No. 97-70 p. 3].
The third message promoting Safe Links, which appears in a promotional slide presentation and Pitch Deck, states: [ECF No. 97-30 p. 15; ECF No. 97-71 p. 20 ()].
TocMail filed its complaint on January 10, 2020 [ECF No. 1]. The initial complaint raised two counts arising under 15 U.S.C. § 1125(a)(1)(B) of the Lanham Act: False Advertising (Count One) and Contributory False Advertising (Count Two) [ECF No. 1 ¶¶ 189, 205]. Microsoft then moved to dismiss both counts on the basis that TocMail lacked standing and failed to state a claim for which relief could be granted [ECF No. 14]. The Court denied the motion as to Count One and dismissed Count Two, giving TocMail leave to file an Amended Complaint [ECF No. 41].
TocMail then filed the operative First Amended Complaint, which contains a single count for False and Misleading Advertising under the Lanham Act, 15 U.S.C. § 1125(a)(1)(B) [ECF No. 2 ¶ 106]. TocMail seeks monetary damages as well...
To continue reading
Request your trial