Microsoft is currently investigating a problem with its Exchange Online email service that has been tagging genuine customer emails as phishing and placing them into quarantine, disrupting normal mail delivery.

The issue, which Microsoft identified in early February, appears to be linked to a recently introduced detection rule that incorrectly classifies some URLs in email messages as malicious. According to service alerts issued by the company, this rule was intended to help catch more sophisticated phishing and spam campaigns but is instead marking safe messages as dangerous.

How It’s Affecting Customers

The problem, tracked internally as EX1227432, began on February 5, 2026, and continues to affect users of Exchange Online. In some cases, legitimate messages are being blocked or quarantined, and customers have reported issues with sending and receiving email.

Microsoft classifies this as a service degradation — meaning the service itself is still functioning, but some users are seeing reduced performance or incorrect behavior. The root cause appears to be overly aggressive filtering criteria that misidentify normal links as potentially harmful.

What Microsoft Has Said

In its alert, Microsoft acknowledged that emails containing URLs might be incorrectly labeled as phishing because the new detection logic treats those links as suspicious. The company described this as an unintended side effect of efforts to tighten phishing detection in response to increasingly advanced email threats.

While Microsoft continues working on a fix, affected organisations may need to manually release quarantined emails or adjust their security settings in the Microsoft 365 admin center to reduce disruption.

A Growing Challenge for Email Security

This incident highlights a broader challenge in email security: balancing effective protection against phishing and spam with ensuring legitimate messages reach their recipients. Modern phishing attacks often use well-crafted links and legitimate services to trick users, pushing security systems to use complex rules and machine learning models to make decisions — but those same systems can sometimes overreach.

Microsoft’s anti-phishing protections — such as impersonation detection and URL analysis — are designed to block real threats, but when the thresholds are too sensitive, legitimate business communications can be caught in the crossfire.

What Users Can Do Now

Administrators of affected tenants are advised to monitor their quarantines, release valid messages, and keep an eye on updates from Microsoft. Microsoft typically provides ongoing status updates through its service health dashboard and may issue additional guidance on how to mitigate false positives while the issue is being resolved.