Microsoft Investigates Exchange Online Bug Flagging Legitimate Emails as Phishing

Microsoft is investigating an ongoing issue in Exchange Online that is mistakenly flagging legitimate emails as phishing and automatically quarantining them, disrupting email delivery for affected customers. The incident began on February 5 and continues to impact users by preventing some emails from being sent or received. Microsoft acknowledged the problem in a service alert, stating that valid messages are being incorrectly identified as phishing and moved to quarantine.

According to Microsoft, the issue stems from URLs within the affected emails being wrongly classified as malicious. The company explained that evolving detection criteria designed to counter increasingly sophisticated spam and phishing techniques led to the misclassification. Over the weekend, Microsoft confirmed that a recently updated URL rule is the root cause of the problem. The rule, intended to improve detection of advanced phishing attempts, is instead flagging some legitimate URLs and quarantining the associated emails.

Microsoft has not disclosed how many customers are affected or which regions are impacted. However, the company has categorized the situation as an incident, indicating noticeable user impact. As a temporary mitigation, Microsoft is working to release quarantined emails and unblock verified legitimate URLs. Affected users may begin to see previously quarantined messages delivered back to their inboxes as remediation progresses. An estimated timeline for full resolution has not yet been provided.

This is not the first time Exchange Online has faced similar issues. In recent years, multiple incidents have resulted in legitimate emails being quarantined or incorrectly marked as spam, including cases caused by anti-spam bugs and misbehaving machine learning models.