Microsoft Exchange Online Anti-Phishing Rules Mistakenly Blocked Legitimate Emails and Teams Messages

Microsoft has disclosed that a software error in its Exchange Online anti-phishing system mistakenly blocked legitimate emails and Teams messages for nearly a week, affecting users across its productivity suite.

The incident, tracked under the identifier EX1227432, began on February 5 and continued until February 12, when Microsoft finally resolved the issue. During this period, users found themselves unable to open links in messages, with some emails being quarantined entirely by the system.

Microsoft attributed the problem to a logic error in heuristic detection rules designed to identify novel credential phishing campaigns. The company explained that shortly after the system was updated, it began flagging legitimate URLs at a far higher rate than intended, triggering a cascade of automated responses that amplified the problem.

"This issue occurred due to a logic error in a heuristic detection aimed at novel credential phishing campaigns that spiked several hours after release," Microsoft stated in its preliminary post-incident report. "This spike in detection resulted in thousands of URL's being incorrectly identified as phishing, triggering blocks for newly delivered emails containing those URL's, ZAP events to remove email and Teams messages with those URL's in them, and also generating XDR alerts for click events related to these alerts."

Administrators received warnings that "potentially malicious URL click was detected," which Microsoft later confirmed were false positives. The company noted that other security tools within its detection infrastructure also amplified the incident's impact, and a separate bug in the company's security signature systems further delayed efforts to roll back the flawed detection rules.

While Microsoft has not disclosed the total number of impacted users, the company classified the issue as an "incident," which typically involves noticeable user impact. The problem affected both Exchange Online email services and Microsoft Teams messaging platforms, creating widespread disruption for businesses and individual users alike.

This is not the first time Microsoft has faced issues with its email security systems. In recent years, the company has dealt with several similar incidents:

• An Exchange Online bug that caused a machine learning model to incorrectly flag emails from Gmail accounts as spam
• Another issue that caused anti-spam systems to mistakenly quarantine some users' emails
• A September incident where an anti-spam service blocked Exchange Online and Microsoft Teams users from opening URLs and mistakenly quarantined some emails
• An ongoing bug that allowed Microsoft 365 Copilot Chat to summarize confidential emails since late January

Microsoft has committed to issuing a final report within five business days of full resolution, providing more detailed information about the incident's scope and the company's remediation efforts. The company's security systems are designed to protect users from phishing attacks and other threats, but this incident highlights the challenges of maintaining accurate detection while avoiding false positives that can disrupt legitimate business communications.

The incident serves as a reminder of the delicate balance that security vendors must strike between aggressive threat detection and maintaining service availability. While Microsoft's systems successfully blocked many actual phishing attempts, the collateral damage to legitimate communications demonstrates the ongoing challenges in developing reliable security automation.

For affected users, Microsoft has not provided specific guidance on recovering quarantined emails or messages, though the company's ZAP (Zero-hour Auto Purge) technology typically allows for restoration of mistakenly quarantined items. Organizations using Exchange Online and Microsoft Teams should monitor their security dashboards for any remaining false positive alerts and work with Microsoft support if they continue to experience issues with message delivery or access.