Skip to Content

Microsoft’s Exchange Online False‑Positive Phishing Issue – What You Need to Know

Microsoft identified a new URL‑filtering rule that incorrectly flags legitimate emails as phishing in Exchange Online. Learn the cause, impact on users, Microsoft’s response, and steps admins can take to mitigate the issue.
9 February 2026 by
TechStora Editorial Board

Overview

Microsoft’s Exchange Online service is currently experiencing a false‑positive detection problem where legitimate messages are being marked as phishing and placed in quarantine.

Cause of the Issue

The problem stems from a newly deployed URL‑checking rule designed to capture more sophisticated phishing and spam tactics. The rules incorrectly identify certain legitimate URLs as malicious, leading to the entire email being flagged.

Impact on Users

Users may notice:

  • Legitimate emails being moved to the quarantine folder.
  • Delayed or missing communications from customers, partners, or internal teams.
  • Potential confusion when previously‑blocked messages reappear in the inbox after Microsoft’s remediation.

Microsoft’s Response

Microsoft has publicly confirmed the cause and is actively working to:

  • Release the incorrectly quarantned messages back to users’ inboxes.
  • Unblock the affected URLs from the phishing‑detection engine.
  • Provide an estimated time‑to‑resolution as soon as possible.

The company is also reviewing the new URL rule to prevent further false‑positive detections.

Recommendations for Administrators

While Microsoft resolves the issue, admins can mitigate the impact by:

  • Turning off the new URL‑filtering rule in the Exchange Online protection policy (if possible).
  • Manually reviewing the quarantine for critical communications and releasing them.
  • Communicating the situation to end‑users to set expectations about potential delays.

Preventive Steps for Future Incidents

To reduce the chance of similar problems:

  • Maintain a whitelist of essential URLs used by your organization.
  • Implement a secondary verification step in your email‑processing workflow, such as a quick sanity‑check of flagged messages before they’re fully quarantined.
  • Use automation platforms (e.g., Tines) to create a workflow that automatically alerts admins when a high‑volume of legitimate messages is being quarantined.

Conclusion

The false‑positive phishing detection is a temporary but disruptive issue. By staying informed, communicating with users, and using protective automation, administrators can keep communications flowing until Microsoft fully resolves the problem.