Microsoft is investigating a widespread issue in Exchange Online that has incorrectly flagged legitimate emails as phishing, causing significant disruption to business communications globally.

The incident, identified under ID EX1227432, began on February 5 and remains unresolved, affecting numerous organizations that rely on Microsoft 365 for daily operations.

According to Microsoft, the problem stems from a recently updated URL detection rule designed to counter increasingly sophisticated phishing attacks. While intended to enhance security, the new rule has proven overly aggressive, mistakenly marking safe URLs as malicious.

As a result, legitimate inbound and outbound emails have been automatically quarantined, preventing users from sending or receiving critical messages and disrupting business workflows.

Microsoft has officially categorized the situation as an incident, noting a clear user impact, though the company has not disclosed the exact number of affected customers or regions. Teams are actively working to correct the configuration while reviewing quarantined messages. Some previously flagged emails have since been successfully delivered.

Despite the widespread disruption, Microsoft has advised administrators not to disable security protections entirely. Instead, IT teams are encouraged to monitor quarantine folders carefully and report false positives via Microsoft’s submission tools to help retrain the filtering models.

What is phishing?

Phishing is a deceptive cybercrime where attackers impersonate trusted entities via email, SMS, or websites to steal sensitive information such as passwords, credit card numbers, or banking details. Attackers often create a sense of urgency, anxiety, or fear to manipulate users into providing confidential data.