Microsoft: Anti-phishing rules mistakenly blocked emails, Teams messages
Source: Bleeping Computer
Microsoft says an Exchange Online issue that mistakenly quarantined legitimate emails last week was triggered by faulty heuristic detection rules designed to block credential‑phishing campaigns.
Incident Overview
A software error in Microsoft’s email security system incorrectly flagged thousands of legitimate URLs as phishing links for nearly a week, blocking users from opening emails and Teams messages. The incident was tracked by Microsoft under EX1227432 and began on February 5, with full resolution achieved on February 12.
Timeline
| Date | Event |
|---|---|
| Feb 5 | Faulty heuristic detection rules deployed. |
| Feb 5‑12 | Legitimate URLs flagged as phishing; emails and Teams messages quarantined or blocked. Administrators received false‑positive alerts for “potentially malicious URL clicks.” |
| Feb 12 | Issue resolved; detection rules rolled back. |
| Feb 19 (Monday) | Preliminary post‑incident report published. |
| Within 5 business days | Microsoft to release final report. |
Root Cause
- Logic error in a detection system aimed at novel credential‑phishing attacks.
- After an update, the system began flagging legitimate URLs at a far higher rate than intended.
- Automated responses (e.g., ZAP events) removed affected emails and Teams messages, amplifying the problem.
- Additional bugs in Microsoft’s security signature infrastructure delayed rollback of the flawed rules.
“This issue occurred due to a logic error in a heuristic detection aimed at novel credential phishing campaigns that spiked several hours after release,” Microsoft explained.
“The spike resulted in thousands of URLs being incorrectly identified as phishing, triggering blocks for newly delivered emails containing those URLs, ZAP events to remove email and Teams messages, and XDR alerts for click events related to these alerts.”
Impact
- Users who received emails or Teams messages containing the flagged URLs could not open the links.
- Some emails were quarantined entirely.
- Microsoft has not disclosed the total number of affected users but classified the event as an incident, indicating noticeable user impact.
Related Past Issues
-
Gmail‑spam false positives: An Exchange Online bug caused a machine‑learning model to incorrectly flag Gmail‑originated emails as spam.
Read more -
Quarantine of user emails: A separate anti‑spam system bug mistakenly quarantined some users’ emails.
Read more -
September 2024 URL block: An anti‑spam service issue blocked Exchange Online and Teams users from opening URLs and quarantined some emails.
Read more -
Copilot Chat bug: A bug allowed Microsoft 365 Copilot Chat to summarize confidential emails since late January.
Read more
Next Steps
- Microsoft will publish a final incident report within five business days of full resolution.
- Ongoing work to improve detection logic and reduce false positives in the email security pipeline.