Legitimate business emails are being mistakenly classified as phishing attempts due to a significant bug affecting Microsoft Exchange Online This article explores phishing microsoft 365. . Beginning on February 5, 2026, this service degradation—which is being tracked as incident EX1227432—has placed legitimate messages in quarantine, preventing them from getting to inboxes. A new anti-spam rule that detects malicious URLs in emails is the source of the issue.

Microsoft aimed to prevent sophisticated phishing attacks, in which cybercriminals conceal harmful links within messages. However, the rule went too far and is now classifying common, safe URLs as dangerous. This leads to "false positives," in which innocuous emails are automatically placed in quarantine. Both incoming and outgoing emails are stuck for affected users.

Important business communications, such as client updates or invoices that include links to reliable websites (like Dropbox shares), don't work.

Administrators around the world report that as teams rush to release trapped messages, productivity stalls. The problem affects businesses that use Exchange Online in Microsoft 365, though Microsoft has not disclosed the precise impact figures. Even if they are harmless, it targets particular URL patterns that resemble phishing techniques.

For instance, if a valid link matches heuristics for shortened or obfuscated URLs used by attackers, the filter may be activated. Technical Root Cause: An excessively harsh spam filter Fundamentally, Exchange Online's anti-spam system makes use of machine learning models that have been trained on enormous phishing sample datasets. The goal of the most recent update was to detect "zero-day" threats and new attacks that lacked signatures. Nevertheless, the model misclassified valid domains due to its overgeneralization.

Quarantined emails appear under "High Confidence Phishing" in the Microsoft 365 Defender portal. Although bulk releases are laborious and manual, administrators can review them there. Partial fixes are reported by some users: Microsoft is restoring access to previously blocked emails by whitelisting the impacted URLs.

The business recommends looking for EX1227432 updates in the Microsoft 365 Admin Center. Resolution is ongoing as of February 10, 2026; there is no specific estimated time of arrival. While complete recovery lags, IT teams observe sporadic improvements. This incident highlights the dangers of AI security: if defenses aren't adjusted, they can backfire.

Here's how to react: Visit the Microsoft 365 Defender portal to keep an eye on quarantine every day. With a single click, release legitimate items after searching for quarantined ones by sender or subject.

Use the quarantine "Submit for Analysis" tool to submit false positives. This allows for faster filter retraining by feeding data back to Microsoft. Verify the Mail Flow Rules: To prevent conflicts, review custom rules in the Exchange admin center.

However, avoid broad bypasses because high-confidence phishing overrides them. Temporary Solutions: Prior to testing, route important emails through authorized gateways or employ transport rules for known secure domains. Microsoft promises to reduce repeats by making changes to the filter. In the meantime, this is a reminder that proactive monitoring is necessary for even the best platforms, such as Exchange.

To prevent future hiccups, be alert and review quarantine once a week.