Microsoft says an Exchange Online issue that mistakenly quarantined legitimate emails last week was triggered by faulty heuristic detection rules designed to block credential phishing campaigns.
As Microsoft explains in a preliminary post-incident report published this week, a software error in its email security system incorrectly flagged thousands of legitimate URLs as phishing links for nearly a week, blocking users from opening emails and Teams messages.
The incident, tracked by Microsoft under EX1227432, began on February 5 and was not fully resolved until February 12. During that period, users across Exchange Online and Microsoft Teams were unable to open links in messages, with some of their emails quarantined entirely.
Administrators also received warnings that a "potentially malicious URL click was detected," alerts that Microsoft later confirmed were false positives.
The root cause was a logic error in a detection system designed to identify new credential phishing attacks. Shortly after the system was updated, it began flagging legitimate URLs at a far higher rate than intended, triggering a cascade of automated responses that aggravated the problem.
Other security tools within Microsoft's detection infrastructure also amplified the incident's impact, and a separate bug in the company's security signature systems further delayed efforts to roll back the flawed detection rules.
"This issue occurred due to a logic error in a heuristic detection aimed at novel credential phishing campaigns that spiked several hours after release," Microsoft explained.
"This spike in detection resulted in thousands of URL's being incorrectly identified as phishing, triggering blocks for newly delivered emails containing those URL's, ZAP events to remove email and Teams messages with those URL's in them, and also generating XDR alerts for click events related to these alerts."
Microsoft said that any user who received emails or Teams messages containing specific URLs may have been affected, but the company has yet to disclose the total number of impacted users. However, as BleepingComputer previously reported, Microsoft classified the issue as an "incident," which usually involves noticeable user impact.
While this preliminary report was published on Monday, Microsoft said that it will issue a final report within five business days of full resolution.
... continue reading