Microsoft has acknowledged a problem in Exchange Online that is pushing legitimate emails into quarantine as suspected phishing. The company says a URL-detection rule is overfiring, creating false positives that block some users from sending and receiving routine business messages. A fix is being rolled out, but affected tenants are seeing mixed results as quarantined mail is gradually released.
For organizations that live and die by their inbox, the practical question is simple: how do you recover missing messages now without opening the door to real threats? Here’s what’s happening and how to reduce disruption safely.
What Microsoft Says Is Happening With Quarantined Mail
In a service alert highlighted by BleepingComputer, Microsoft attributes the issue to a newly applied URL rule that is misclassifying some legitimate links as malicious. That misclassification elevates the risk score and routes messages to quarantine as phish, even when senders and content are trustworthy. Microsoft reports that remediation is underway, with some previously quarantined messages reappearing in inboxes while the broader fix propagates.
This type of false positive is a known side effect of aggressive anti-abuse tuning. As attackers iterate on link-shortening, redirect chains, and lookalike domains, filters tighten criteria to keep up—sometimes too far. Microsoft’s service health updates indicate the company is adjusting the rule to reduce collateral impact without weakening protection.
How To Recover Missing Messages Without Risk
Start with the Quarantine page in the Microsoft Defender portal under your work or school account. Filter for categories such as Phish and High Confidence Phish, then use the built-in preview to inspect headers, authentication results (SPF, DKIM, DMARC), and body content. Only release messages you can validate as legitimate; when in doubt, contact the sender via an alternate channel.
If you’re an admin, enable or tighten end-user quarantine notifications so employees are alerted to pending messages. Consider allowing user release for low-confidence spam while keeping high-confidence phish gated behind admin approval. This preserves a safety net while speeding recovery of routine mail.
Use Message Trace in the Exchange admin center to confirm whether messages were quarantined or dropped, and to identify patterns by sender domain, URL family, or campaign. Ask trusted partners to resend critical messages if necessary; some previously quarantined items may be delayed as Microsoft reprocesses backlogs.
Admin Playbook While the Fix Rolls Out Across Tenants
- Targeted allow rules: For business-critical senders you fully trust, create temporary, narrowly scoped mail flow rules that bypass spam filtering for specific sending IPs or domains. Set an expiration date and review frequently. Avoid broad bypasses that apply tenant-wide.
- Tenant Allow/Block List: Where the fault lies with specific URLs, consider adding known-good URLs or domains to the Tenant Allow/Block List in Microsoft Defender. Use time-bound entries and document approvals. This reduces friction without permanently weakening posture.
- Policy tuning, not disabling: Resist the urge to switch off anti-phishing. Instead, temporarily adjust anti-spam and anti-phish policies so suspected phish routes to Junk rather than Quarantine for lower-confidence detections. Keep high-confidence phish in Quarantine and maintain user education about Junk folder vigilance.
- Faster visibility: Enable admin alerts for spikes in quarantined phish, and surface a dashboard widget tracking quarantine volume and release activity. Use the Submissions portal to report false positives back to Microsoft—this feedback loop helps retrain classifiers faster.
- Authentication hygiene: Even though this incident centers on URLs, ensure your outbound domains have working SPF, DKIM, and DMARC. Proper alignment reduces the overall risk score of your mail and can lessen knock-on filtering.
Why Email Security Filters Sometimes Misfire on URLs
Industry telemetry from groups like Cisco Talos and M3AAWG has long shown that the majority of global email volume is unwanted, with spam often hovering around 85% of traffic. In that environment, precision is hard: incremental rule changes can tip the balance between catching evolving attacks and mislabeling legitimate campaigns.
The stakes justify the vigilance. Verizon’s Data Breach Investigations Report has consistently found that the human element—phishing, credential theft, and social engineering—drives a large share of breaches. The FBI’s Internet Crime Complaint Center continues to list business email compromise as the costliest threat category, with reported losses in the billions annually. Against that backdrop, Microsoft’s filters aggressively weight risky URLs, but outlier cases still slip into false-positive territory.
What To Watch Next As Microsoft Deploys the Fix
Monitor the Microsoft 365 Service health dashboard for confirmation that remediation has fully deployed. Expect a gradual normalization: quarantined messages may rehydrate into inboxes in batches, and some senders may need to reissue time-sensitive emails.
In the meantime, keep quarantine notifications flowing, narrow any temporary allow rules, and continue submitting false positives to Microsoft. This balances business continuity with the security guardrails organizations still need as attackers iterate on new URL-based lures.