A faulty URL filtering rule update in Microsoft Exchange Online triggered a widespread false-positive storm beginning February 9, 2026, causing legitimate email messages to be incorrectly flagged as phishing and quarantined, disrupting email workflows for organizations globally.
Microsoft tracked the incident under reference EX1227432. The issue was officially resolved on February 13, 2026, after a five-day remediation window during which Microsoft engineers worked to identify and release the improperly quarantined messages.
The root cause was an updated URL filtering rule that Microsoft deployed to strengthen detection of sophisticated spam and phishing campaigns. While the intent was to improve anti-phishing coverage, the rule change contained logic errors that caused it to flag legitimate URLs present in routine business emails.
As a result, Exchange Online’s anti-spam engine quarantined messages that posed no actual threat, preventing recipients from receiving expected correspondence and blocking senders from successful delivery.
As Cybersecuritynews already reported, the scope of impact was described as affecting “some users” sending or receiving Exchange Online email, though the NHS-linked advisory suggests the disruption extended across enterprise and healthcare-sector tenants. Microsoft did not publicly quantify the number of affected mailboxes or messages.
Incident Timeline
| Event | Date & Time |
|---|---|
| Incident Reported | February 9, 2026, 08:30 AM |
| Preliminary Root Cause Identified | February 9, 2026 |
| Message Release Initiated | February 9–13, 2026 |
| Final Resolution Confirmed | February 13, 2026, 09:01 AM |
Microsoft validated the successful release of the remaining quarantined messages before closing the incident. In its post-incident statement, the company acknowledged the need to improve URL rule implementation processes to reduce similar false-positive detections going forward.
Microsoft also emphasized its commitment to adapting anti-phishing defenses as spam and phishing techniques continue to evolve — a difficult balancing act between aggressive detection coverage and minimizing collateral impact on legitimate mail flow.
This incident highlights a persistent challenge in email security: overly aggressive filtering rules can be just as disruptive as the threats they aim to block.
Organizations relying heavily on Exchange Online for critical communication, particularly in healthcare and public sector environments, are advised to routinely audit quarantine folders and configure quarantine digest notifications, ensuring that false positives do not silently delay time-sensitive correspondence.
Microsoft Exchange Online’s anti-phishing infrastructure remains a primary layer of defense for millions of enterprise tenants, making careful rule validation and staged rollouts essential to avoiding future incidents of this nature.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
