Exchange Online Incident Flags Valid Emails as Phishing, Microsoft Confirms

Microsoft has confirmed it is investigating an ongoing Exchange Online incident that incorrectly flags legitimate emails as phishing and places them in quarantine.

The company posted a service alert explaining that some customers may be unable to send or receive email messages due to false-positive phishing detections. The issue began on February 5 and remains unresolved.

New Exchange URL rule labels email as phishing

Microsoft says the problem stems from URLs inside emails being incorrectly identified as malicious. Over the weekend, the company confirmed that a newly introduced URL detection rule caused the misclassification.

The rule was designed to catch more advanced spam and phishing techniques, but it ended up quarantining legitimate messages instead. Microsoft has classified the situation as an incident, which signals noticeable user impact.

Quarantined emails are slowly released

Engineers are actively reviewing quarantined messages and unblocking confirmed legitimate URLs. Microsoft says it is also working to release the affected emails back to users.

Some customers may already notice previously quarantined messages arriving in their inboxes. However, Microsoft has not shared an estimated timeline for a full fix, nor has it disclosed how many customers or regions are affected.

The incident comes shortly after Microsoft confirmed the shutdown of Exchange Web Services for Exchange Online. The company has also warned administrators about using local Exchange Online mailbox moves and recently began blocking email access through Microsoft Intune on non-compliant devices.

Microsoft has not indicated whether the current email misclassification issue relates to these broader changes.

Via Bleeping Computer