Microsoft Exchange Online is currently experiencing a service degradation that leads its anti-phishing filters to wrongly classify legitimate business emails as phishing and quarantine them, disrupting normal email flow for organizations using the cloud email service. The issue, tracked under service alert EX1227432, began on February 5, 2026, and is attributed to an overly aggressive new URL detection rule that flags safe links as malicious. Affected users have found both inbound and outbound messages trapped in quarantine, hampering communication and productivity. Microsoft has acknowledged the incident and is actively reviewing quarantined messages to restore delivery, but it has not yet shared a full timeline for resolution or details on how many customers or regions are impacted. This is part of a broader challenge for Microsoft’s automated filtering systems, which have previously flagged legitimate mail incorrectly due to evolving detection criteria intended to counter sophisticated phishing threats. Administrators and organizations are advised to monitor quarantine folders, release legitimate messages as they are restored, and await further updates from Microsoft while the company works on remediation.
Sources
https://cybersecuritynews.com/microsoft-exchange-online-flags-legitimate-email/
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-flags-legitimate-emails-as-phishing/
https://winbuzzer.com/2026/02/09/microsoft-exchange-online-flags-legitimate-emails-phishing-xcxwbn/
Key Takeaways
• Microsoft Exchange Online is misclassifying legitimate business emails as phishing due to an aggressive URL detection rule, leading to quarantine and communication disruptions.
• The incident began on February 5, 2026, under service alert EX1227432, with Microsoft actively reviewing and releasing quarantined emails, though a full resolution timeline remains unknown.
• This false positive event highlights the ongoing difficulties in balancing automated phishing protections with legitimate email delivery in large-scale cloud environments.
In-Depth
Microsoft Exchange Online customers are currently contending with a significant issue in which normal, legitimate emails are being incorrectly labeled as phishing content and placed into quarantine, interrupting normal email communication. This problem, identified as service alert EX1227432 and first noticed on February 5, 2026, stems from a newly introduced URL detection rule that appears to be too strict in its criteria. The aim of the rule was to enhance protection against sophisticated phishing campaigns and spam, but instead it has caught numerous harmless links and the messages containing them. Organizations that rely on Exchange Online for both internal and external communication have experienced delays and blocked delivery as both inbound and outbound messages get flagged, complicating daily operations for teams that depend on timely messaging.
Microsoft has publicly acknowledged the issue and categorized it as a service incident, which signals noticeable impact on customers. Engineers are actively engaged in reviewing quarantined messages and unblocking those confirmed to be legitimate. Some users report seeing previously trapped emails finally arrive, indicating forward progress. However, Microsoft has not provided a firm timeline for when the detection rule will be fully fixed or how many users worldwide are affected. Administrative teams are being advised to monitor quarantine folders and release valid messages as they are restored while keeping an eye on official communications from Microsoft regarding remediation efforts.
This situation underscores a broader challenge for automated filtering systems: striking the right balance between aggressively identifying malicious content and avoiding false positives that hinder legitimate business communications. Microsoft’s layered defenses, which include machine learning, URL reputation scoring, and heuristic rules, are designed to protect users from increasingly sophisticated threats. Yet when those systems err on the side of caution, valid messages can suffer. Previous similar incidents have occurred with Exchange Online’s spam and phishing filters over the past year, highlighting the ongoing struggle to tune detection engines that operate at massive scale across diverse, real-world email traffic patterns. As email remains a critical medium for business workflows and security notifications, such false positives can erode trust and require organizations to adapt interim measures until underlying detection models are properly calibrated. Administrators and IT professionals should remain vigilant for additional updates and be prepared to adjust policies or workflows to mitigate impact while Microsoft works toward a comprehensive remedy.