Ambiguity of claim made to sophisticated buyers defeats software ad suit

TocMail Inc. v. Microsoft Corp., 2021 WL 6750789, No. 20-60416-CIV-CANNON/Hunt (S.D. Fla. Dec. 21, 2021)

Though TocMail made it past a motion to dismiss, it failed at the summary judgment stage in its claim that Microsoft falsely advertised its link scanning service’s capabilities, thus locking TocMail out of a big market. Safe Links is part of Microsoft’s anti-phishing and anti-malware Defender package. It began as a list of dangerous URLs, and later added a reputation/ “detonation” check that analyzes the content linked to by the URL. Hackers’ security evasion techniques include using a visitor’s IP address to determine whether that visitor is a human user or security software and then display different content accordingly, so that a visit from Microsoft’s IP range sees only anodyne content while the actual email recipient would get malware if they clicked; such IP evasion is “common” today. Internally, Microsoft recognized this as a problem as early as 2010 and the problem escalated around 2018, when it launched a new feature that was intended to help counteract IP evasion.

Challenged advertising: (1) "Sophisticated attackers will plan to ensure links pass through the first round of security filters. They do this by making the links benign, only to weaponize them after the message is delivered, altering the destination of the links to a malicious site.... With Safe Links, we are able to protect users right at the point of click by checking the link for reputation and triggering detonation if necessary." (2) "[A]ttackers sometimes try to hide malicious URLs within seemingly safe links that are redirected to unsafe sites by a forwarding service after the message has been received. The ATP Safe Links feature proactively protects your users if they click such a link. That protection remains every time they click the link, so malicious links are dynamically blocked while good links can be accessed." (3) “Ensure users are protected against URLs that redirect to malicious sites. Safe Links will proactively protect your users every time they click a link, ensuring malicious links are dynamically blocked even if they are changed after the message has been received.”

In context, the court determined, these claims weren’t literally false. “Statements that have an unambiguous meaning, either facially or considered in context, may be classified as literally false.” TocMail argued that the ads were literally false because they necessarily and falsely implied that Safe Links “provides effective protection” against URLs that use IP evasion. Meanwhile, Microsoft’s own internal communications identified “gaps” in protection based on IP evasion that could be “easily” bypassed.

Microsoft argued that it didn’t present Safe Links as a solution to IP evasion or guarantee that Safe Links would block every single type of attack every single time, and that (3)’s “[e]nsure document hyperlinks are harmless with ATP Safe Links” was puffery. Microsoft emphasized that the intended audience was technologically sophisticated and, it argued, would not interpret the ads as promising impervious protection. The court rejected the puffery argument: “Although Message #3 is vague and generalized, the Court does not find that the word ‘ensure’ is non-actionable puffery since it is neither a statement of superiority nor quite so exaggerated that no reasonable consumer would be justified in relying upon it. The record demonstrates that at least some Microsoft customers have the ‘common misapprehension’ that ‘no phishing emails ... should reach users.’”

The court then found the ads ambiguous. One possible interpretation was that they just “describe at a basic level what Safe Links does,” including checking when a user clicked on a link. This was a reasonable interpretation in context because other statements in the ads “undercut the impression that Microsoft is promoting 100% protection,” e.g., stating that Safe Links “mitigate[s] malicious content” and “helps prevent users from going to malicious websites when they click them in email” or “No solution is 100% effective, and that makes it important to have an ‘assume breach’ mindset.”

TocMail argued that the ads promised “effective protection,” especially (3), and that was definitely possible, but in context it was only one of the reasonable interpretations of the ads, especially given that Microsoft was advertising to “business enterprise customers, with the intended audience consisting of IT professionals well-versed in the cybersecurity industry,” which fundamentally understands “the reality that security threats are ‘constantly evolving.’” So a reasonable audience could interpret even “ensure” as not guaranteeing 100% threat avoidance. [Microsoft successfully framed this issue: one alternative would be whether “effective” here means “not ignoring known problems.”]

Thus, TocMail needed to present evidence of actual deception, and it didn’t. There wasn’t consumer survey evidence or other expert testimony about deception. Microsoft’s internal documents did reveal one customer question that raises IP evasion as a possible security concern: “[w]hy is an IP-address range used which is easily attributable to Microsoft?” In response, Microsoft touted its use of some IP anonymization and other monitoring activities “to ensure effectiveness,” as well as its “explor[ation of] new ideas.” But the question didn’t show that the customer was deceived into thinking that Microsoft’s product provides foolproof protection against IP evasion.