Phishing protections in Microsoft Exchange Online have been incorrectly flagging legitimate messages since 5 February 2026, Microsoft says, leaving some users unable to send or receive email normally. Microsoft logged the disruption as service alert EX1227432 in the Microsoft 365 admin centre and classified the problem as a service degradation.
Microsoft says the root cause was a newly introduced URL detection rule, intended to catch more advanced spam and phishing techniques, that began marking safe links as malicious. Over the weekend Microsoft confirmed the rule caused misclassification, and reporting by WinBuzzer has likewise identified the rule as the primary factor. Some detections labeled as high confidence phish can override tenant allow lists, complicating remediation for administrators.
Engineers are manually reviewing quarantined messages and unblocking URLs confirmed to be legitimate, Microsoft says, and the company is working to release affected emails back to users. Some customers have already noticed previously quarantined messages arriving in their inboxes. Microsoft has not shared an estimated timeline for a full fix, nor disclosed how many customers or regions are affected.
Phishing Techniques And Defensive Trade Offs
Phishing is a form of social engineering where attackers use fraudulent emails to trick recipients into revealing sensitive information or installing malware. Typical components include a fraudulent but similar sender domain, incorrect branding, generic content, spelling errors, a sense of urgency, fake links, and incorrect recipient names. Modern campaigns increasingly target multi-factor authentication, using man-in-the-middle techniques and tools to capture session tokens.
Automated anti-phishing systems must balance detection sensitivity with reliable email delivery. When systems err on the side of aggression they can create false positives, as seen in the current Exchange Online incident. Automated detection remains imperfect, with content-based analysis reported to reach between 80 percent and 90 percent success, so many tools retain manual certification steps. The problem is not new. Microsoft previously changed phishing detection in 2024, causing misidentifications tied to domain creation dates, and in 2025 machine learning models wrongly flagged Gmail messages under incident EX1064599.
Defensive measures include blacklists and Safe Browsing style checks, specialised spam filters that use machine learning, and multi-factor authentication. However, multi-factor systems can be bypassed by advanced phishing, man-in-the-middle attacks, and authentication fatigue tactics. Administrators are advised to monitor the Microsoft 365 admin centre, review quarantined messages, prepare incident playbooks, and maintain backup communication channels while Microsoft continues remediation.
