Microsoft 365 message security changes: Teams user reporting expansion and Exchange Online false-positive quarantines
Microsoft is expanding end-user reporting capabilities in Microsoft Teams by enabling Defender for Office 365 Plan 1 customers to report suspicious messages directly in Teams (Roadmap ID 531760), a capability previously limited to Plan 2. The feature is intended to strengthen collaboration-platform defenses by letting users classify messages as Security Risk (suspected phishing/malware/spam) or Not a Security Risk (false positives), providing additional signals to SOC workflows and improving detection for chat-based social engineering such as BEC-style lures delivered via Teams; the rollout is expected to complete by late March 2026 and requires administrative enablement.
Separately, Microsoft acknowledged an Exchange Online service issue in which legitimate emails were incorrectly marked as phishing/spam and quarantined, disrupting some users’ ability to send/receive email. Microsoft attributed the false positives to a new URL rule that misclassified certain legitimate URLs/domains as malicious due to evolving detection criteria; some previously quarantined messages may begin reappearing as mitigations roll out, but other emails may remain quarantined until the fix is fully deployed, and affected organizations are advised to review quarantine for missing legitimate mail.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft targets late-March rollout completion for Teams reporting expansion
Microsoft said rollout of the expanded Teams malicious-message reporting capability for Defender for Office 365 Plan 1 users is expected to complete in late March 2026. Once deployed, organizations that enable the required Defender settings will be able to let users report suspicious Teams messages for review.
Microsoft begins remediating Exchange Online false-positive quarantines
By February 10, 2026, Microsoft said it was making progress fixing the Exchange Online false-positive issue, with some quarantined legitimate emails starting to return to inboxes while others remained in quarantine. Users were advised to review the Microsoft Defender Quarantine page and manually release valid messages pending full remediation.
Microsoft updates roadmap to expand Teams message reporting to Defender Plan 1
On February 9, 2026, Microsoft updated Microsoft 365 Roadmap item 531760 to extend suspicious Microsoft Teams message reporting to Microsoft Defender for Office 365 Plan 1 users, a capability previously limited to Plan 2. The opt-in feature lets users classify reported Teams messages as security risks or false positives and routes submissions for centralized triage.
Exchange Online starts misclassifying legitimate emails as phishing/spam
On February 5, 2026, a new Exchange Online URL rule began incorrectly flagging some legitimate emails as malicious, causing them to be quarantined and potentially missed by users. Microsoft attributed the issue to anti-phishing criteria that mistakenly classified certain legitimate URLs as unsafe.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft 365 Disruptions: Exchange Online False-Positive Phishing Blocks and Microsoft Teams Service Degradation
Microsoft reported a Microsoft 365 security-service failure in which **Exchange Online** anti-phishing heuristics incorrectly classified thousands of legitimate URLs as credential-phishing, leading to quarantined emails, blocked link access, and removal of messages via automated actions (including ZAP) across **email and Microsoft Teams**. The incident (tracked as `EX1227432`) ran from Feb 5 to Feb 12 and generated false XDR-style alerts such as “potentially malicious URL click was detected”; Microsoft attributed the impact to a **logic error** in newly updated heuristic detection, with additional tooling and a separate signature-system bug compounding and delaying rollback. Separately, Microsoft also worked an active **Microsoft Teams** outage/service degradation (tracked as `TM1233974`) affecting some users in the **United States and Europe**, with delays/failures sending and receiving chats that include inline media and issues joining meetings or signing in. A third item—abuse of **Atlassian Jira Cloud** notification emails to deliver localized scam lures and redirect victims to casino/investment fraud—describes a distinct threat campaign unrelated to the Microsoft 365 incidents and should be treated as a separate story.
Mar 21, 2026Microsoft Warns of Surging QR-Code Phishing After Exchange Anti-Phishing Failure
Microsoft said attackers are increasingly using **QR-code phishing** to steal credentials, with the company analyzing **8.3 billion** email-based phishing threats in Q1 2026 and recording a **146% increase** in quishing activity. Researchers said more than **35,000 users** across roughly **13,000 organizations** were targeted through emails, PDFs, and fake CAPTCHA pages carrying malicious QR codes that redirected victims through multiple sites to counterfeit login portals. Microsoft also reported a **336% surge** in QR codes embedded directly in emails in March, alongside continued business email compromise lures and phishing kits such as **Tycoon2FA**, which it disrupted with Europol before operators began rebuilding infrastructure and shifting toward `.RU` domains. The warning follows a separate Microsoft 365 security incident in which faulty heuristic anti-phishing rules in Exchange Online and Teams wrongly flagged legitimate content as malicious. The incident, tracked as **`EX1227432`**, caused valid emails to be quarantined, links to be blocked, **Zero-hour Auto Purge (ZAP)** actions to trigger incorrectly, and false **Microsoft XDR** alerts to be sent after a logic error misclassified legitimate URLs as phishing links. Microsoft said the outage was prolonged by bugs in related signature and rollback systems, underscoring how both attacker evasion and defensive misfires can disrupt cloud email security and credential protection efforts.
May 25, 2026
Microsoft Teams to Enforce Messaging Safety Defaults
Microsoft is set to automatically enable key messaging safety features in Microsoft Teams for tenants using default configurations, starting January 12, 2026. The update will activate protections against weaponizable file types, real-time malicious URL detection, and a reporting mechanism for false positives, aiming to reduce the risk of malware and phishing attacks within enterprise collaboration environments. Organizations that have previously customized their messaging safety settings will not be affected by this change, as their preferences will remain in place. End-users will experience changes such as warning labels on suspicious URLs and blocked messages when attempting to share high-risk file types. The reporting feature allows users to flag incorrect security detections, helping Microsoft refine its threat detection algorithms. IT administrators are advised to review and update their Teams configurations and internal documentation before the rollout to ensure a smooth transition and maintain desired security postures.
Mar 21, 2026