Microsoft Message ID

microsoftmessageid

Microsoft Issue ID: EX1227432 – 2026-02-20 | Some users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online

Microsoft Service Health

💡 Our Technical Review in summary

Summary

Between February 5 and February 12, 2026, an issue occurred in Exchange Online where legitimate email messages were incorrectly identified as phishing and automatically moved to quarantine. The root cause was a faulty update to a URL filtering rule intended to catch sophisticated spam; instead, it triggered false positives on benign email traffic.

Impact

Impacted users experienced legitimate inbound and outbound email messages being blocked. These messages were held in quarantine rather than being delivered to the intended recipients’ inboxes. The scope of impact was limited to a subset of users attempting to send or receive messages containing specific URL patterns flagged by the updated rule.

Status

Resolved. The incident has been fully mitigated. Microsoft has corrected the faulty URL rule and successfully released all messages that were previously held in quarantine. Affected messages should now be delivered to their original destinations. A final Post-Incident Report (PIR) was published on February 20, 2026, and Microsoft is currently reviewing its URL rule implementation processes to prevent similar false positive detections in the future.

Microsoft Official Issue Details

User Impact

Users’ legitimate email messages may have been marked as phishing and quarantined in Exchange Online.

Status: postIncidentReviewPublished

Service: Exchange Online

Classification: incident

Origin: microsoft

Updates

  • 2026-02-20 00:33
    A post-incident report has been published.
  • 2026-02-19 13:20
    A post-incident report has been published.
  • 2026-02-17 21:02
    A post-incident report has been published.
  • 2026-02-17 20:59
    A post-incident report has been published.
  • 2026-02-17 00:52
    A post-incident report has been published.
  • 2026-02-17 00:52
    A post-incident report has been published.
  • 2026-02-12 19:15
    Title: Some users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may have been marked as phishing and quarantined in Exchange Online.

    More info: Users can expect messages which were previously quarantined by this incident to have been successfully delivered.

    Final status: We’ve validated the successful release of the small portion of remaining messages and confirmed the impact associated with this incident is now resolved.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may have been impacted.

    Start time: Thursday, February 5, 2026, at 12:26 AM UTC

    End time: Thursday, February 12, 2026, at 2:00 PM UTC

    Preliminary root cause: An updated URL rule intending to identify more sophisticated spam and phishing email messages was incorrectly quarantining legitimate email messages in Exchange Online.

    Next steps: We’re reviewing our ongoing URL rule implementation processes to find ways to reduce similar false positive detections in the future while continuing to adapt and respond to evolving spam and phishing techniques.

    We’ll provide a preliminary Post-Incident Report within two business days and a final Post-Incident Report within five business days.

  • 2026-02-12 16:46
    Title: Some users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online.

    More info: Users may see some previously quarantined messages successfully delivered; however, some messages may still be impacted until the issue is fully resolved.

    Current status: We’re carefully reviewing a small portion of messages which remain in quarantine to assess the final actions needed as we near the completion of the restoration process.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted. This information may be updated as our investigation continues.

    Start time: Thursday, February 5, 2026, at 12:26 AM UTC

    Preliminary root cause: An updated URL rule intending to identify more sophisticated spam and phishing email messages is incorrectly quarantining legitimate email messages in Exchange Online, resulting in impact.

    Next update by: Thursday, February 12, 2026, at 8:00 PM UTC

  • 2026-02-12 05:17
    Title: Some users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online.

    More info: Users may see some previously quarantined messages successfully delivered; however, some messages may still be impacted until the issue is fully resolved.

    Current status: We’ve continued to make progress restoring previously affected email messages. We’re actively monitoring the restoration process and taking targeted actions to address any remaining blockers.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted. This information may be updated as our investigation continues.

    Start time: Thursday, February 5, 2026, at 12:26 AM UTC

    Preliminary root cause: An updated URL rule intending to identify more sophisticated spam and phishing email messages is incorrectly quarantining legitimate email messages in Exchange Online, resulting in impact.

    Next update by: Thursday, February 12, 2026, at 6:00 PM UTC

  • 2026-02-12 00:31
    Title: Some users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online.

    More info: Users may see some previously quarantined messages successfully delivered; however, some messages may still be impacted until the issue is fully resolved.

    Current status: We’ve confirmed that no additional messages are being quarantined due to this incident, and we’re proceeding with our work to incrementally release those messages which were previously affected.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted. This information may be updated as our investigation continues.

    Start time: Thursday, February 5, 2026, at 12:26 AM UTC

    Preliminary root cause: An updated URL rule intending to identify more sophisticated spam and phishing email messages is incorrectly quarantining legitimate email messages in Exchange Online, resulting in impact.

    Next update by: Thursday, February 12, 2026, at 6:00 AM UTC

  • 2026-02-11 00:00
    Title: Some users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online.

    More info: Users may see some previously quarantined messages successfully delivered; however, some messages may still be impacted until the issue is fully resolved.

    Current status: We’re actively working on unblocking legitimate URLs and releasing quarantined messages. As we progress through these workstreams, some impacted accounts will see legitimate email messages returning to their inboxes from quarantine.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted. This information may be updated as our investigation continues.

    Start time: Thursday, February 5, 2026, at 12:26 AM UTC

    Preliminary root cause: An updated URL rule intending to identify more sophisticated spam and phishing email messages is incorrectly quarantining legitimate email messages in Exchange Online, resulting in impact.

    Next update by: Thursday, February 12, 2026, at 1:00 AM UTC

  • 2026-02-09 23:34
    Title: Some users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online.

    More info: Users may see some previously quarantined messages successfully delivered; however, some messages may still be impacted until the issue is fully resolved.

    Current status: We discovered an issue when unblocking some legitimate URLs which we must resolve prior to releasing the quarantined messages. We’re working on addressing the blocker so we can proceed with unblocking the legitimate URLs and releasing the quarantined messages to remediate.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted.

    Start time: Thursday, February 5, 2026, at 12:26 AM UTC

    Preliminary root cause: An updated URL rule intending to identify more sophisticated spam and phishing email messages is incorrectly quarantining legitimate email messages in Exchange Online, resulting in impact.

    Next update by: Wednesday, February 11, 2026, at 1:00 AM UTC

  • 2026-02-07 20:20
    Title: Some users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing and quarantined in Exchange Online.

    Current status: We’re reviewing the release of quarantined messages for affected users and working on confirming legitimate URLs are unblocked. Some users may see their previously quarantined messages successfully delivered and we’re working to confirm full remediation. We’ll provide an estimated time to resolve when one becomes available.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted.

    Preliminary root cause: An updated URL rule intending to identify more sophisticated spam and phishing email messages is incorrectly quarantining legitimate email messages in Exchange Online, resulting in impact.

    Next update by: Tuesday, February 10, 2026, at 1:00 AM UTC

  • 2026-02-07 03:50
    Title: Some users’ legitimate email messages may be marked as phishing email and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing email and quarantined in Exchange Online.

    Current status: We’re continuing to review our logging and detection components to ensure our current mitigation strategy fully remediates the impact. In the meantime, we’re releasing quarantined messages for affected users and unblocking URLs as our investigation progresses.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted.

    Root cause: The email messages are getting incorrectly marked as phishing and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection.

    Next update by: Saturday, February 7, 2026, at 8:30 PM UTC

  • 2026-02-07 02:22
    Title: Some users’ legitimate email messages may be marked as phishing email and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing email and quarantined in Exchange Online.

    Current status: While monitoring the process of releasing the quarantined messages for the affected users, we received fresh reports of quarantined messages from a subset of affected users. We’re reviewing the logging and impact details provided by this subset of users to help us determine how we can adjust our current mitigation strategy to ensure full remediation for all affected environments.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted.

    Root cause: The email messages are getting incorrectly marked as phishing and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection.

    Next update by: Saturday, February 7, 2026, at 4:30 AM UTC

  • 2026-02-06 10:29
    Title: Some users’ legitimate email messages may be marked as phishing email and quarantined in Exchange Online

    User impact: Users’ legitimate email messages may be marked as phishing email and quarantined in Exchange Online.

    Current status: We’re continuing to release the quarantined messages for the affected users to fully resolve this problem. In parallel, we’re actively working to evaluate additional remediation actions to perform in order to expedite the process of recovery.

    Scope of impact: Some users attempting to send or receive Exchange Online email messages may be impacted.

    Root cause: The email messages are getting incorrectly marked as phishing and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection.

    Next update by: Saturday, February 7, 2026, at 2:30 AM UTC

  • 2026-02-06 05:04
    Title: Some users’ legitimate email messages are being marked as phish and quarantined in Exchange Online

    User impact: Users’ legitimate email messages are being marked as phish and quarantined in Exchange Online.

    Current status: We expect that the issue is resolved for any new messages as a result of adding the affected URLs to the allow list and we’re continuing the process of working with support to collect the necessary data to release the quarantine messages to fully resolve this problem. We’ll provide an estimate for the completion of this process when available.

    Scope of impact: Your organization is affected by this event, and some users attempting to send or receive Exchange Online email messages are impacted.

    Root cause: The email messages are getting incorrectly marked as phish and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection.

    Next update by: Friday, February 6, 2026, at 10:30 AM UTC

  • 2026-02-06 01:03
    Title: Some users’ legitimate email messages are being marked as phish and quarantined in Exchange Online

    User impact: Users’ legitimate email messages are being marked as phish and quarantined in Exchange Online.

    Current status: We’ve added the associated URLs for the affected email messages to the allow list to resolve further impact from occurring. We’re now in the process of releasing the affected quarantined email messages to fully resolve the issue. Additionally, we anticipate that we’ll be able to provide a remediation timeline by the time of our next scheduled communications update.

    Scope of impact: Your organization is affected by this event, and some users attempting to send or receive Exchange Online email messages are impacted.

    Root cause: The email messages are getting incorrectly marked as phish and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection.

    Next update by: Friday, February 6, 2026, at 6:30 AM UTC

  • 2026-02-05 17:36
    Title: Some users’ legitimate email messages are being marked as phish and quarantined in Exchange Online

    User impact: Users’ legitimate email messages are being marked as phish and quarantined in Exchange Online.

    Current status: We’ve determined that the URLs associated with these email messages are incorrectly marked as phish and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection. We’ve added the associated URLs for these affected email messages to an allow list and are currently monitoring as these actions reflect within our service. After we confirm these URLs have successfully been allowed, we’ll conduct final testing with a subset of users in order to validate that this has remediated impact.

    Scope of impact: Your organization is affected by this event, and some users attempting to send or receive Exchange Online email messages are impacted.

    Root cause: The email messages are getting incorrectly marked as phish and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection.

    Next update by: Friday, February 6, 2026, at 2:00 AM UTC

  • 2026-02-05 15:32
    Title: Some users’ legitimate email messages are being marked as phish and quarantined in Exchange Online

    User impact: Users’ legitimate email messages are being marked as phish and quarantined in Exchange Online.

    Current status: We’re reviewing support provided information to determine our next troubleshooting steps.

    Scope of impact: Your organization is affected by this event, and some users attempting to send or receive Exchange Online email messages are impacted.

    Next update by: Thursday, February 5, 2026, at 5:30 PM UTC

Prev :
Next :

Most Read

Recent News