Ethical Hacking News
Microsoft recently revealed that an Exchange Online issue mistakenly quarantined legitimate emails and Teams messages for nearly a week due to faulty heuristic detection rules. Thousands of URL's were incorrectly flagged as phishing, leading to blocks on newly delivered emails and automated responses that worsened the situation. The company is working to resolve the incident and has acknowledged its classification as an "incident" that involved noticeable user impact.
Microsoft Exchange Online was affected by an incident where legitimate emails and Teams messages were mistakenly quarantined due to faulty heuristic detection rules. The root cause was a logic error in a detection system designed to block credential phishing attacks, which flagged legitimate URLs at an increased rate. The incident triggered automated responses that worsened the situation, causing thousands of URL's to be incorrectly identified as phishing. Microsoft has acknowledged the issue and is working to resolve it, but has not disclosed the total number of users affected. This incident highlights the importance of robust testing and quality assurance in software development and cybersecurity monitoring.
Microsoft has recently revealed that an Exchange Online issue, which mistakenly quarantined legitimate emails and Teams messages for nearly a week, was triggered by faulty heuristic detection rules designed to block credential phishing campaigns. The incident, tracked under EX1227432, began on February 5 and was not fully resolved until February 12. During this period, users across Exchange Online and Microsoft Teams were unable to open links in messages, with some of their emails quarantined entirely.
The root cause of the issue was a logic error in a detection system designed to identify new credential phishing attacks. Shortly after the system was updated, it began flagging legitimate URLs at a far higher rate than intended, triggering a cascade of automated responses that aggravated the problem. Other security tools within Microsoft's detection infrastructure also amplified the incident's impact, and a separate bug in the company's security signature systems further delayed efforts to roll back the flawed detection rules.
The logic error in question was part of a heuristic detection system designed to flag novel credential phishing campaigns. However, this system began flagging legitimate URLs at an increased rate shortly after its release, leading to a series of automated responses that worsened the situation. As a result, thousands of URL's were incorrectly identified as phishing and triggered blocks for newly delivered emails containing those URL's, ZAP events to remove email and Teams messages with those URL's in them, and also generated XDR alerts for click events related to these alerts.
Microsoft has not yet disclosed the total number of users affected by this incident. However, BleepingComputer previously reported that Microsoft classified the issue as an "incident," which usually involves noticeable user impact. The company has since acknowledged the issue and is working to resolve it.
This incident highlights the importance of robust testing and quality assurance in software development. It also underscores the need for security teams to closely monitor their detection infrastructure to prevent such incidents from occurring in the first place.
Microsoft has a history of dealing with similar issues, including Exchange Online bugs that resulted in emails being quarantined or incorrectly tagged as spam or malicious. In September, an anti-spam service issue blocked Exchange Online and Microsoft Teams users from opening URLs and mistakenly quarantined some of their emails.
In addition to this incident, Microsoft is also working to fix a bug that allowed its AI-powered Microsoft 365 Copilot Chat to summarize confidential emails since late January. This highlights the ongoing challenge of balancing the need for advanced security features with the potential risks associated with their implementation.
As technology continues to evolve at an increasingly rapid pace, incidents like this serve as a reminder of the importance of vigilance and proactive monitoring in the cybersecurity space. Microsoft's efforts to address this issue are a step in the right direction, but it is essential that the company and its customers remain vigilant in the face of emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/MICROSOFTS-EXCHANGE-ONLINE-EMAILS-AND-TEAMS-MESSAGES-MISTAKENLY-BLOCKED-BY-FAULTY-ANTI-PHISHING-RULES-ehn.shtml
https://www.bleepingcomputer.com/news/microsoft/microsoft-anti-phishing-rules-mistakenly-blocked-emails-teams-messages/
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-flags-legitimate-emails-as-phishing/
Published: Thu Feb 19 04:48:38 2026 by llama3.2 3B Q4_K_M
