What Is Phishing? The Shocking Truth About Why Microsoft Is Trapping Your Emails

Microsoft Exchange Online has been quarantining legitimate business emails due to a malfunction in its anti-phishing system, affecting organisations worldwide since 5 February 2026.

The incident, tracked as service alert EX1227432 in the Microsoft 365 admin centre, has caused operational disruptions, with some users unable to send or receive emails normally. Microsoft classified the situation as a service degradation, signalling significant impact on global business communications.

Understanding Phishing and Its Risks

Phishing is a form of cyberattack where fraudulent emails attempt to trick users into sharing sensitive information or login credentials. Microsoft's anti-phishing measures are designed to detect these sophisticated threats before they reach users.

However, security systems must carefully balance detection sensitivity and legitimate email delivery. Errors in this balance can lead to legitimate messages being misidentified as malicious, as seen in the current Exchange Online incident.

Technical Cause Behind the Email Blockages

The root cause of the disruption lies in a newly introduced URL detection rule intended to catch advanced phishing techniques. The system is incorrectly flagging safe URLs as malicious, leading to a surge in false positives.

Some detections classified as 'high confidence phish' can override tenant-side allow lists, complicating remediation for administrators.

According to reporting by WinBuzzer, Microsoft confirmed that the overly aggressive URL detection rule in Exchange Online is the primary factor behind the false positives and quarantine of legitimate emails. Microsoft confirmed that 'some users' legitimate email messages are being marked as phishing and quarantined in Exchange Online.'

Impact on Organisations and Users

The malfunction is affecting both inbound and outbound emails, with messages trapped in quarantine and businesses experiencing delays in communication. IT administrators have reported that attachments, image-heavy signatures, and senders lacking DMARC protocols can trigger false phishing alerts.

The disruption is causing operational strain, with delayed contracts and missed deadlines reported in affected organisations. Microsoft has not disclosed which regions or how many customers are impacted, leaving administrators with uncertainty in planning alternative communication strategies.

Microsoft Response and Remediation Efforts

Microsoft engineers are actively reviewing quarantined messages and unblocking URLs confirmed as legitimate. Some messages have already been released to users, though the company has not provided a complete timeline for full resolution.

Manual review remains necessary for many emails, highlighting the difficulty of reversing automated quarantines. Users and IT administrators are advised to monitor the Microsoft 365 admin centre for updates and manage quarantined messages as part of ongoing remediation.

Historical Context and Recurring Issues

This is not the first time Exchange Online has experienced similar issues. In 2024, a change to the phishing detection system misidentified legitimate emails due to domain creation dates, causing a disruption that lasted over two weeks.

In 2025, machine learning models incorrectly flagged Gmail emails as spam during incident EX1064599. These recurring false positives demonstrate the ongoing challenges Microsoft faces in balancing aggressive security measures with reliable email delivery for enterprise users.

Guidance for IT Administrators

Organisations dependent on Microsoft Exchange Online are advised to establish backup communication channels and develop incident response playbooks.

Administrators should review quarantined messages for confirmed legitimate emails and prepare contingency plans in case resolution extends. Proactive monitoring remains critical as Microsoft continues to address EX1227432, and no definitive timeline has been provided for full service restoration.