Microsoft 365 Disruptions: Exchange Online False-Positive Phishing Blocks and Microsoft Teams Service Degradation
Microsoft reported a Microsoft 365 security-service failure in which Exchange Online anti-phishing heuristics incorrectly classified thousands of legitimate URLs as credential-phishing, leading to quarantined emails, blocked link access, and removal of messages via automated actions (including ZAP) across email and Microsoft Teams. The incident (tracked as EX1227432) ran from Feb 5 to Feb 12 and generated false XDR-style alerts such as “potentially malicious URL click was detected”; Microsoft attributed the impact to a logic error in newly updated heuristic detection, with additional tooling and a separate signature-system bug compounding and delaying rollback.
Separately, Microsoft also worked an active Microsoft Teams outage/service degradation (tracked as TM1233974) affecting some users in the United States and Europe, with delays/failures sending and receiving chats that include inline media and issues joining meetings or signing in. A third item—abuse of Atlassian Jira Cloud notification emails to deliver localized scam lures and redirect victims to casino/investment fraud—describes a distinct threat campaign unrelated to the Microsoft 365 incidents and should be treated as a separate story.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft mitigates Teams outage by reverting configuration change
About an hour after reporting the Teams disruption on 2026-02-17, Microsoft said the impact was remediated by reverting a configuration change. The company attributed the outage to a subsection of Teams caching infrastructure falling below performance thresholds.
Microsoft reports Teams service degradation in the US and Europe
On 2026-02-17, Microsoft disclosed incident TM1233974 affecting some Teams users in Europe and the United States, causing access delays and failures, problems joining meetings, signing in, and issues sending or receiving chat messages with inline media. Microsoft also noted separate concurrent Teams incidents affecting meeting joins via the Join button and Copilot Studio agent updates in Teams.
Microsoft fully resolves Exchange Online and Teams false-positive blocking incident
On 2026-02-12, Microsoft said it fully resolved incident EX1227432 after rollback efforts were delayed by a separate bug in security signature systems. The company later published a preliminary post-incident report and said a final report would follow within five business days.
Faulty anti-phishing rule update begins misclassifying legitimate URLs
On 2026-02-05, a logic error introduced after an update to Exchange Online heuristic detection rules caused thousands of legitimate URLs to be incorrectly classified as phishing. The issue triggered automated URL blocking, message removals, quarantining of legitimate emails, and false security alerts across Exchange Online and Microsoft Teams.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft 365 message security changes: Teams user reporting expansion and Exchange Online false-positive quarantines
Microsoft is expanding end-user reporting capabilities in **Microsoft Teams** by enabling **Defender for Office 365 Plan 1** customers to report suspicious messages directly in Teams (Roadmap ID `531760`), a capability previously limited to Plan 2. The feature is intended to strengthen collaboration-platform defenses by letting users classify messages as **Security Risk** (suspected phishing/malware/spam) or **Not a Security Risk** (false positives), providing additional signals to SOC workflows and improving detection for chat-based social engineering such as **BEC-style** lures delivered via Teams; the rollout is expected to complete by late March 2026 and requires administrative enablement. Separately, Microsoft acknowledged an **Exchange Online** service issue in which legitimate emails were incorrectly marked as phishing/spam and quarantined, disrupting some users’ ability to send/receive email. Microsoft attributed the false positives to a **new URL rule** that misclassified certain legitimate URLs/domains as malicious due to evolving detection criteria; some previously quarantined messages may begin reappearing as mitigations roll out, but other emails may remain quarantined until the fix is fully deployed, and affected organizations are advised to review quarantine for missing legitimate mail.
Mar 21, 2026
Microsoft cloud service disruptions affecting Microsoft 365, Exchange Online, and Windows Update/Store
Microsoft reported multiple **service-impacting incidents** across its cloud ecosystem. Administrators in **North America and Canada** experienced an outage and degraded performance in the **Microsoft 365 admin center**, with some users also unable to access the *M365 app* or raise support tickets; Microsoft said it was analyzing telemetry, usage patterns, and **CPU utilization**, and reviewing user-provided **HAR files** to isolate the root cause. Separately, **Exchange Online** quarantined legitimate messages after an updated **URL rule** incorrectly marked some URLs as phishing, disrupting email flow for affected customers while Microsoft worked to release quarantined mail and unblock legitimate URLs. In another disruption, Microsoft attributed **Windows Update** and **Microsoft Store** failures/timeouts (notably impacting Windows 11 users) to a **utility power interruption** at a **West US datacenter**, which cascaded into issues with **Azure storage clusters** supporting content delivery; backup power engaged and power was later stabilized, but service recovery required additional remediation beyond restoring electricity.
Mar 21, 2026Microsoft Warns of Surging QR-Code Phishing After Exchange Anti-Phishing Failure
Microsoft said attackers are increasingly using **QR-code phishing** to steal credentials, with the company analyzing **8.3 billion** email-based phishing threats in Q1 2026 and recording a **146% increase** in quishing activity. Researchers said more than **35,000 users** across roughly **13,000 organizations** were targeted through emails, PDFs, and fake CAPTCHA pages carrying malicious QR codes that redirected victims through multiple sites to counterfeit login portals. Microsoft also reported a **336% surge** in QR codes embedded directly in emails in March, alongside continued business email compromise lures and phishing kits such as **Tycoon2FA**, which it disrupted with Europol before operators began rebuilding infrastructure and shifting toward `.RU` domains. The warning follows a separate Microsoft 365 security incident in which faulty heuristic anti-phishing rules in Exchange Online and Teams wrongly flagged legitimate content as malicious. The incident, tracked as **`EX1227432`**, caused valid emails to be quarantined, links to be blocked, **Zero-hour Auto Purge (ZAP)** actions to trigger incorrectly, and false **Microsoft XDR** alerts to be sent after a logic error misclassified legitimate URLs as phishing links. Microsoft said the outage was prolonged by bugs in related signature and rollback systems, underscoring how both attacker evasion and defensive misfires can disrupt cloud email security and credential protection efforts.
May 25, 2026