Microsoft Exchange Online and Teams Messages Quarantined After Phishing Detection Error

Microsoft has confirmed an Exchange Online issue that mistakenly quarantined legitimate emails due to faulty phishing detection logic. The incident blocked links, triggered false alerts, and removed messages across Microsoft 365 services.

The company has now resolved the issue and is preparing a full post-incident report.

Faulty phishing detection rules trigger widespread false positives

According to BleepingComputer, the problem stemmed from heuristic detection rules designed to catch credential phishing campaigns. A logic error in a security system update caused thousands of legitimate URLs to be flagged as malicious.

Exchange Online began quarantining emails and blocking links in both Outlook and Microsoft Teams messages. Users also received alerts about “potentially malicious URL clicks,” which Microsoft later confirmed were false positives.

The issue was tracked internally as EX1227432 and started on February 5.

Automated systems amplified the impact

The updated detection system flagged URLs at a much higher rate than intended. Automated remediation tools then escalated the problem.

Zero-hour Auto Purge (ZAP) events removed emails and Teams messages containing flagged links. Microsoft Defender XDR also generated alerts related to the same URLs, compounding confusion for administrators.

Other interconnected security tools within Microsoft’s detection infrastructure amplified the disruption. A separate bug in the security signature system delayed the rollback of the flawed rules, extending the incident timeline.

Timeline and resolution details

Microsoft confirmed that the incident ran from February 5 through February 12. The company has since fully resolved the issue.

Administrators who received alerts regarding suspicious URL clicks can now treat them as false positives related to this event. Microsoft has not disclosed the total number of affected users but classified the situation as an official “incident,” signaling noticeable customer impact.

A final post-incident report is expected within five business days of resolution.

This event follows previous Exchange Online issues involving spam filtering errors and incorrect email quarantining. It also comes shortly after Microsoft acknowledged a separate bug where Copilot Chat summarized confidential emails without proper restriction.

Additionally, Microsoft Teams experienced a recent outage, though that issue has already been resolved.

The latest incident highlights the complexity of automated phishing detection systems and the cascading effects of security rule updates across Microsoft’s cloud ecosystem.