Microsoft Exchange Online mistakenly quarantines legitimate emails

A new URL filtering rule caused Exchange Online to flag valid emails as malicious, disrupting customer mail flow.

What happened

Microsoft is investigating an ongoing issue in Exchange Online that has resulted in legitimate email messages being incorrectly marked as phishing and placed in quarantine. According to BleepingComputer, the problem began on February 5 and affected customers attempting to send or receive email through the cloud service. Microsoft acknowledged the incident in a service alert, explaining that URLs within certain emails were mistakenly identified as malicious under updated detection criteria. Over the weekend, Microsoft confirmed that a newly introduced URL rule intended to improve spam and phishing detection was responsible for the misclassification. The company has classified the issue as an incident and is working to release quarantined messages while validating legitimate URLs.

Going deeper

URL reputation filtering is a core component of modern cloud email security, where messages are scanned in real time for malicious links. In this incident, a detection rule intended to catch more advanced phishing techniques mistakenly flagged legitimate URLs as threats, creating false positives. Such errors can disrupt operations, delay normal business communication, and reduce trust in automated filtering systems. Exchange Online relies on automated detection engines and machine learning models to identify suspicious activity, and updates to these rules can sometimes cause unintended side effects before adjustments are made. Microsoft said affected users may see previously quarantined emails gradually restored as remediation efforts continue.

What was said

While Microsoft has not disclosed how many customers are affected or which regions are impacted, it has classified the issue as an incident, which typically indicates noticeable user impact.

In an update cited by BleepingComputer on February 8, 2026, Microsoft said it is actively working to reverse the problem and release legitimate emails that were mistakenly quarantined.

“We're reviewing the release of quarantined messages for affected users and working on confirming legitimate URLs are unblocked,” the company noted on Saturday. “Some users may see their previously quarantined messages successfully delivered and we're working to confirm full remediation. We'll provide an estimated time to resolve when one becomes available.”

In the know

Microsoft has faced similar issues in recent years where Exchange Online bugs led to legitimate emails being quarantined or mislabeled. In March, an Exchange Online issue caused anti-spam systems to mistakenly quarantine some users’ messages. In May, a machine learning model incorrectly flagged emails from Gmail accounts as spam. More recently, in September, an anti-spam service bug blocked Exchange Online and Microsoft Teams users from opening URLs and quarantined certain emails, disrupting normal communication workflows.

The big picture

False positives, where legitimate activity is mistakenly flagged as malicious, have become a growing operational risk as automated security systems grow more aggressive in response to changing phishing tactics. The 2024 Verizon Data Breach Investigations Report notes that phishing remains one of the most common initial access methods in security incidents, prompting vendors to tighten detection thresholds, meaning the sensitivity level at which systems decide something is suspicious. A Paubox report found that phishing driven mailbox takeovers accounted for 17% of all email breaches in 2025 but were the most damaging by impact, exposing more than 630,000 individuals. As filtering tools adapt to more evasive phishing techniques, legitimate emails or traffic can be blocked if security rules are not carefully adjusted. Organizations that rely heavily on automated cloud security controls must balance strong detection with business continuity to avoid disruption caused by overly strict filtering.

FAQs

Why would a security update cause legitimate emails to be flagged?

Detection systems use rule sets and behavioral signals to classify threats. When new rules are introduced to catch advanced phishing tactics, they may inadvertently match legitimate patterns until refinements are applied.

What is a false positive in email security?

A false positive occurs when a legitimate email or URL is incorrectly identified as malicious and blocked or quarantined by security software.

Does this incident indicate a breach of Exchange Online?

No breach has been reported. The issue involves incorrect classification by filtering systems rather than unauthorized access to customer data.

How are quarantined emails typically restored?

Administrators or service providers review flagged messages, validate URLs, adjust rules, and release emails from quarantine once confirmed as safe.

How can organizations reduce the impact of false positives?

Maintaining clear incident response procedures, monitoring service health alerts, and configuring quarantine review workflows can help reduce operational disruption when filtering errors occur.