Microsoft has confirmed that a faulty anti-phishing detection rule designed to stop credential theft campaigns mistakenly blocked thousands of legitimate emails and Teams messages for nearly a week.
The disruption affected customers using Exchange Online and Microsoft Teams, two key services within the company’s Microsoft 365 ecosystem.
According to Microsoft’s preliminary post-incident report, the incident tracked internally as EX1227432 began on February 5 and was fully resolved on February 12.
The Root Cause
The root cause was a logic error in a heuristic detection system meant to identify new and emerging credential phishing campaigns. Shortly after the detection rules were updated, it began incorrectly flagging legitimate URLs as phishing links at a much higher rate than intended.
“This issue occurred due to a logic error in a heuristic detection aimed at novel credential phishing campaigns that spiked several hours after release,” Microsoft explained.
A Cascade Of Automated Reactions
Since Microsoft’s security infrastructure is highly automated, the faulty detection triggered automated security responses, including:
- Blocking users from opening links in emails and Teams messages
- Quarantining entire emails
- Automatically removing messages after delivery through Zero-hour Auto Purge (ZAP) events
- Generating false “potentially malicious URL click” alerts for administrators
- XDR security alerts were generated based on incorrect detections
Other security tools within Microsoft’s detection ecosystem amplified the flawed rule’s effects. To make matters worse, a separate bug in the company’s security signature systems delayed efforts to roll back the faulty detection mechanism.
In simple terms, one mistake triggered a chain reaction across multiple automated defenses — making the issue more widespread and slower to fix.
How It Affected Users
During the affected period, users across Microsoft Exchange Online and Microsoft Teams experienced disruptions in routine communication.
Many users found they could not open links in routine emails or Teams chats. In some cases, emails were completely quarantined. IT administrators faced confusion as dashboards showed warning alerts suggesting suspicious activity — alerts Microsoft later confirmed were false positives.
While the total number of impacted users has not been disclosed, the company classified the event as an “incident,” a label typically reserved for issues with widespread customer impact.
Not the First Email Filtering Issue
This is not the first time Microsoft has faced such automated email defenses in recent years. Previously, an Exchange Online bug caused legitimate emails from Gmail accounts — including messages from Gmail accounts — to be wrongly marked as spam or malicious.
As recently as September, another anti-spam service issue blocked URLs and quarantined some emails in both Exchange Online and Teams.
Separately, Microsoft is also working to fix a bug in Microsoft 365 Copilot Chat, which, since late January allowed confidential emails to be summarized in certain cases.
What Happens Next?
Microsoft says it will release a final post-incident report within five business days of full resolution. It added that it is working to prevent similar incidents in the future.
For now, Microsoft says the faulty detection rules have been corrected, and affected services are operating normally. Users should no longer experience blocked links or unexpected quarantines tied to this issue.
The incident highlights how difficult it is for major cloud companies to maintain strong security defenses without accidentally blocking the normal emails and messages that businesses depend on every day.
