Microsoft has confirmed an ongoing Exchange Online incident that incorrectly flags legitimate emails as phishing, forcing them into quarantine and disrupting email delivery for organizations worldwide.
The issue began on February 5 and continues to affect both inbound and outbound messages. Administrators report delayed communications, missed emails, and increased manual intervention as a result.
How a New URL Detection Rule Is Causing Phishing False Positives
Microsoft traced the problem to a new URL detection rule deployed to strengthen phishing protection. The rule aggressively scans links inside emails, but it mistakenly identifies safe URLs as malicious.
Once the system flags a URL, Exchange Online automatically labels the entire message as phishing and sends it to quarantine. This behavior overrides many existing allow lists, increasing the impact on business email flows .
Microsoft Begins Releasing Quarantined Exchange Online Emails
Microsoft engineers are actively reviewing quarantined messages and releasing emails confirmed as legitimate. Some users have already started receiving delayed messages in their inboxes.
However, Microsoft has not provided:
- An estimated time for full resolution
- A list of affected regions
- The number of impacted tenants
The company has officially classified the situation as an incident, which signals noticeable user disruption rather than a minor service issue .
Administrators Face Increased Manual Work
Until Microsoft fully resolves the issue, IT administrators must:
- Monitor quarantine queues closely
- Manually release legitimate emails
- Report false positives through the Microsoft 365 admin center
Microsoft advises customers to track updates under the incident ID in the service health dashboard and avoid bypassing high-confidence phishing policies, as those rules ignore most overrides.
Part of a Broader Exchange Online Transition
The incident follows several recent changes across Exchange Online, including:
- The shutdown of Exchange Web Services
- Restrictions on local mailbox moves
- New access blocks on non-compliant devices
Microsoft has not confirmed whether the phishing misclassification directly relates to these broader updates, but administrators continue to raise concerns about aggressive filtering behavior .
See also: Microsoft Warns Against Exchange Online Local Mailbox Moves
Microsoft says it will publish a resolution timeline once engineers confirm full remediation. Until then, organizations should expect intermittent email delays and continue active monitoring.
This incident highlights the growing challenge of balancing advanced phishing protection with email reliability, especially as automated detection rules become more aggressive.
