Microsoft Exchange Online Hit by Overzealous Anti-Phishing Filter, Trapping Legitimate Emails
On February 5, 2026, Microsoft Exchange Online began incorrectly flagging legitimate business emails as phishing attempts, causing widespread disruptions. The issue, tracked as incident EX1227432, stems from a newly deployed anti-spam rule designed to detect malicious URLs in messages. Instead, the filter has overgeneralized, quarantining safe emails containing everyday links such as invoices, client updates, or trusted file-sharing services like Dropbox under "High Confidence Phishing."
The problem affects organizations using Exchange Online within Microsoft 365, with both inbound and outbound emails impacted. Admins report critical communications failing to deliver, forcing manual intervention to release trapped messages from the Microsoft 365 Defender portal. While Microsoft has implemented partial fixes, including whitelisting certain URLs, full resolution remains ongoing as of February 10, 2026, with no confirmed timeline for recovery.
The root cause lies in an overly aggressive machine learning model, updated to catch zero-day phishing threats but misclassifying benign domains due to broad heuristics. Emails containing shortened or obfuscated URLs common in legitimate business use are particularly vulnerable. Microsoft has acknowledged the issue and is refining the filter, though intermittent improvements have been reported.
The incident highlights the risks of AI-driven security tools when not properly calibrated, disrupting productivity for enterprises reliant on Exchange Online. Admins are advised to monitor quarantines and submit false positives to aid Microsoft’s adjustments.
Source: https://cyberpress.org/microsoft-exchange-emails-as-phishing/
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/Microsoft
"id": "MIC1770718364",
"linkid": "Microsoft",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Organizations using Exchange '
'Online within Microsoft 365',
'industry': 'Technology/Cloud Services',
'location': 'Global',
'name': 'Microsoft Exchange Online (Microsoft 365)',
'size': 'Large',
'type': 'Email Service Provider'}],
'date_detected': '2026-02-05',
'date_publicly_disclosed': '2026-02-05',
'description': 'On February 5, 2026, Microsoft Exchange Online began '
'incorrectly flagging legitimate business emails as phishing '
'attempts, causing widespread disruptions. The issue, tracked '
'as incident EX1227432, stems from a newly deployed anti-spam '
'rule designed to detect malicious URLs in messages. Instead, '
'the filter has overgeneralized, quarantining safe emails '
'containing everyday links such as invoices, client updates, '
"or trusted file-sharing services like Dropbox under 'High "
"Confidence Phishing.' The problem affects organizations using "
'Exchange Online within Microsoft 365, with both inbound and '
'outbound emails impacted. Admins report critical '
'communications failing to deliver, forcing manual '
'intervention to release trapped messages from the Microsoft '
'365 Defender portal. While Microsoft has implemented partial '
'fixes, including whitelisting certain URLs, full resolution '
'remains ongoing as of February 10, 2026, with no confirmed '
'timeline for recovery.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'disrupted communications',
'operational_impact': 'Widespread disruptions in email delivery, '
'manual intervention required to release '
'quarantined emails',
'systems_affected': 'Microsoft Exchange Online (Microsoft 365)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Highlights the risks of AI-driven security tools when not '
'properly calibrated, emphasizing the need for balanced '
'heuristics to avoid false positives.',
'post_incident_analysis': {'corrective_actions': 'Refining the filter, '
'adjusting heuristics, and '
'improving calibration of '
'the AI model.',
'root_causes': 'Overly aggressive machine learning '
'model in the anti-phishing filter, '
'misclassifying benign domains due '
'to broad heuristics.'},
'recommendations': 'Monitor quarantines closely, submit false positives to '
'Microsoft, and consider temporary workarounds for '
'critical communications.',
'references': [{'date_accessed': '2026-02-10',
'source': 'Microsoft Incident Tracker'}],
'response': {'communication_strategy': 'Acknowledged the issue, advised '
'admins to monitor quarantines and '
'submit false positives',
'containment_measures': 'Partial fixes, including whitelisting '
'certain URLs',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Ongoing, no confirmed timeline for full '
'resolution',
'remediation_measures': 'Refining the anti-phishing filter, '
'submitting false positives for '
'adjustment'},
'stakeholder_advisories': 'Admins advised to monitor quarantines and submit '
'false positives to aid adjustments.',
'title': 'Microsoft Exchange Online Hit by Overzealous Anti-Phishing Filter, '
'Trapping Legitimate Emails',
'type': 'False Positive Security Filter'}