Scams & Phishing News Microsoft Exchange Online Flags Customers Legitimate Email as Phishing

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
920
4,315
2,168
Germany
Content source
https://cybersecuritynews.com/microsoft-exchange-online-flags-legitimate-email/
Microsoft Exchange Online is experiencing a service degradation that incorrectly flags legitimate customer emails as phishing, quarantining them and disrupting communications. The issue, identified as EX1227432, started on February 5, 2026, at 10:31 AM EST and remains ongoing.

Microsoft classifies this as an incident affecting Exchange Online, with some users unable to send or receive emails normally. Legitimate messages are being marked as phishing due to overly aggressive detection criteria designed to counter sophisticated spam and phishing tactics. A new URL rule is the culprit, mistakenly identifying safe URLs as malicious, leading to quarantines.
Click to expand...
Read more:
cybersecuritynews.com

Microsoft Exchange Online Flags Customers Legitimate Email as Phishing

Microsoft Exchange Online is experiencing a service degradation that incorrectly flags legitimate customer emails as phishing, quarantining them and disrupting communications. The issue, identified as EX1227432, started on February 5, 2026, at 10:31 AM EST and remains ongoing.
cybersecuritynews.com cybersecuritynews.com
 
  • Like
Reactions: Wrecker4923 and Parkinsond
Brownie2019 said:
Read more:
cybersecuritynews.com

Microsoft Exchange Online Flags Customers Legitimate Email as Phishing

Microsoft Exchange Online is experiencing a service degradation that incorrectly flags legitimate customer emails as phishing, quarantining them and disrupting communications. The issue, identified as EX1227432, started on February 5, 2026, at 10:31 AM EST and remains ongoing.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
This appears to be a real Microsoft 365 / Exchange Online false-positive incident (EX1227432) where legitimate messages are being classified as “phish” and quarantined due to URL detection logic/rules, with the public reports stating it began on February 5, 2026 and was still ongoing as of February 9, 2026. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-flags-legitimate-emails-as-phishing/))

What’s happening (practically) ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-flags-legitimate-emails-as-phishing/))
  • Some legitimate emails (not necessarily all) that contain certain URLs are getting tagged as phishing.
  • Those messages get quarantined, which can look like “missing mail” or disrupted mail flow.
  • Microsoft’s reported cause in these write-ups is a newly-updated URL rule that became too aggressive and started catching benign URLs.

What to do as an M365/Exchange Online admin (safe, standard steps)
  • Track the official status in the Microsoft 365 admin center (Service health) under the incident ID EX1227432, and follow Microsoft’s guidance for that incident. ([cybersecuritynews.com](https://cybersecuritynews.com/microsoft-exchange-online-flags-legitimate-email/))
  • Review Quarantine for “Phish” detections and release impacted messages as appropriate. Where available, choose the option that also reports it as “not phishing / false positive” so Microsoft gets corrective telemetry.
  • Use Message trace to confirm the action taken (quarantined as phish) and to document impact for stakeholders.
  • Be cautious with bypass/allow workarounds:
    • Temporary allow-listing specific URLs/domains may help in some cases, but broad allow rules can create real security gaps.
    • Also note: some “high confidence phish” style detections can override many tenant-side allow mechanisms, so “just whitelist it” may not reliably fix everything.

What to tell end users
  • This is consistent with a filtering false-positive incident, not automatically a sign of account compromise.
  • If they’re expecting an email and it doesn’t arrive, the right action is to notify IT/security so the message can be checked/released from quarantine through official channels.
  • Normal caution still applies: don’t click unexpected links just because a delayed email later arrives.

Bottom line: treat this as a Microsoft-side false positive incident, keep changes minimal/reversible, and focus on quarantine monitoring + release/reporting while Microsoft remediates EX1227432. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-flags-legitimate-emails-as-phishing/))

Sources
 

You may also like...