Microsoft Exchange Online Flags Legitimate Email
Microsoft Exchange Online is experiencing a service degradation that incorrectly flags legitimate customer emails as phishing, quarantining them and disrupting communications. The issue, identified as EX1227432, started on February 5, 2026, at 10:31 AM EST and remains ongoing.
Microsoft classifies this as an incident affecting Exchange Online, with some users unable to send or receive emails normally. Legitimate messages are being marked as phishing due to overly aggressive detection criteria designed to counter sophisticated spam and phishing tactics. A new URL rule is the culprit, mistakenly identifying safe URLs as malicious, leading to quarantines.
Affected users see their inbound and outbound emails trapped in quarantine, impacting productivity across organizations relying on Exchange Online.
The scope targets specific email messages with flagged URLs, though Microsoft has not detailed affected regions or customer numbers. Administrators report needing manual releases, with some previously quarantined messages now delivering after Microsoft’s interventions.
The company is actively reviewing quarantined messages and unblocking legitimate URLs to restore service. Updates over the weekend confirmed progress, with full remediation targeted soon and an estimated resolution time forthcoming.
Microsoft urges affected users to monitor the Microsoft 365 admin center for status on EX1227432.
This is not isolated; Exchange Online has faced repeated false positives. In May 2025, a machine learning model wrongly tagged Gmail emails as spam (EX1064599).
In March, anti-spam systems quarantined legitimate messages, while in September 2025, bugs blocked URLs in emails and Teams. Earlier cases involved bit.ly links and attachments triggering high-confidence phishing flags.
Cybersecurity forums buzz with frustration over Exchange’s anti-phishing policies, which override whitelists for high-confidence detections. Users on Reddit report persistent issues since 2022, often requiring support tickets for backend fixes.
Sysadmins note patterns like DMARC-lacking senders with attachments or image-heavy signatures triggering quarantines.
As phishing evolves, Microsoft’s ever-updating defenses risk overreach, balancing security against usability. This incident underscores the challenges of AI-driven email filtering amid rising threats like spoofed internals. Organizations are advised to report false positives via quarantine tools and consider third-party filters for redundancy.
In a statement, Microsoft emphasized ongoing improvements to prevent recurrence, though no timeline for full fixes exists yet. Customers should check quarantines regularly and avoid bypassing policies, as high-confidence phishing ignores most overrides.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
