Exchange Online Misflags Legitimate Customer Emails as Phishing

Microsoft Exchange Online is currently grappling with a service degradation that’s incorrectly flagging legitimate customer emails as phishing, leading to their quarantine and disrupting critical communications. Identified as EX1227432, this ongoing problem began on February 5, 2026, at 10:31 AM EST.

Microsoft classifies this as an incident affecting Exchange Online, with some users unable to send or receive emails normally. Legitimate messages are being marked as phishing due to overly aggressive detection criteria designed to counter sophisticated spam and phishing tactics. A new URL rule is the culprit, mistakenly identifying safe URLs as malicious, leading to quarantines.

Affected users see their inbound and outbound emails trapped in quarantine, impacting productivity across organizations relying on Exchange Online.

The scope targets specific email messages with flagged URLs, though Microsoft has not detailed affected regions or customer numbers. Administrators report needing manual releases, with some previously quarantined messages now delivering after Microsoft’s interventions.

The company is actively reviewing quarantined messages and unblocking legitimate URLs to restore service. Updates over the weekend confirmed progress, with full remediation targeted soon and an estimated resolution time forthcoming.

Microsoft urges affected users to monitor the Microsoft 365 admin center for status on EX1227432.

This is not isolated; Exchange Online has faced repeated false positives. In May 2025, a machine learning model wrongly tagged Gmail emails as spam (EX1064599).

In March, anti-spam systems quarantined legitimate messages, while in September 2025, bugs blocked URLs in emails and Teams. Earlier cases involved bit.ly links and attachments triggering high-confidence phishing flags.

Cybersecurity forums buzz with frustration over Exchange’s anti-phishing policies, which override whitelists for high-confidence detections. Users on Reddit report persistent issues since 2022, often requiring support tickets for backend fixes.

Sysadmins note patterns like DMARC-lacking senders with attachments or image-heavy signatures triggering quarantines.

As phishing evolves, Microsoft’s ever-updating defenses risk overreach, balancing security against usability. This incident underscores the challenges of AI-driven email filtering amid rising threats like spoofed internals. Organizations are advised to report false positives via quarantine tools and consider third-party filters for redundancy.

In a statement, Microsoft emphasized ongoing improvements to prevent recurrence, though no timeline for full fixes exists yet. Customers should check quarantines regularly and avoid bypassing policies, as high-confidence phishing ignores most overrides.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.