Microsoft 365 message security changes: Teams user reporting expansion and Exchange Online false-positive quarantines
Microsoft is expanding end-user reporting capabilities in Microsoft Teams by enabling Defender for Office 365 Plan 1 customers to report suspicious messages directly in Teams (Roadmap ID 531760), a capability previously limited to Plan 2. The feature is intended to strengthen collaboration-platform defenses by letting users classify messages as Security Risk (suspected phishing/malware/spam) or Not a Security Risk (false positives), providing additional signals to SOC workflows and improving detection for chat-based social engineering such as BEC-style lures delivered via Teams; the rollout is expected to complete by late March 2026 and requires administrative enablement.
Separately, Microsoft acknowledged an Exchange Online service issue in which legitimate emails were incorrectly marked as phishing/spam and quarantined, disrupting some users’ ability to send/receive email. Microsoft attributed the false positives to a new URL rule that misclassified certain legitimate URLs/domains as malicious due to evolving detection criteria; some previously quarantined messages may begin reappearing as mitigations roll out, but other emails may remain quarantined until the fix is fully deployed, and affected organizations are advised to review quarantine for missing legitimate mail.
Timeline
Mar 31, 2026
Microsoft targets late-March rollout completion for Teams reporting expansion
Microsoft said rollout of the expanded Teams malicious-message reporting capability for Defender for Office 365 Plan 1 users is expected to complete in late March 2026. Once deployed, organizations that enable the required Defender settings will be able to let users report suspicious Teams messages for review.
Feb 10, 2026
Microsoft begins remediating Exchange Online false-positive quarantines
By February 10, 2026, Microsoft said it was making progress fixing the Exchange Online false-positive issue, with some quarantined legitimate emails starting to return to inboxes while others remained in quarantine. Users were advised to review the Microsoft Defender Quarantine page and manually release valid messages pending full remediation.
Feb 9, 2026
Microsoft updates roadmap to expand Teams message reporting to Defender Plan 1
On February 9, 2026, Microsoft updated Microsoft 365 Roadmap item 531760 to extend suspicious Microsoft Teams message reporting to Microsoft Defender for Office 365 Plan 1 users, a capability previously limited to Plan 2. The opt-in feature lets users classify reported Teams messages as security risks or false positives and routes submissions for centralized triage.
Feb 5, 2026
Exchange Online starts misclassifying legitimate emails as phishing/spam
On February 5, 2026, a new Exchange Online URL rule began incorrectly flagging some legitimate emails as malicious, causing them to be quarantined and potentially missed by users. Microsoft attributed the issue to anti-phishing criteria that mistakenly classified certain legitimate URLs as unsafe.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Microsoft 365 Disruptions: Exchange Online False-Positive Phishing Blocks and Microsoft Teams Service Degradation
Microsoft reported a Microsoft 365 security-service failure in which **Exchange Online** anti-phishing heuristics incorrectly classified thousands of legitimate URLs as credential-phishing, leading to quarantined emails, blocked link access, and removal of messages via automated actions (including ZAP) across **email and Microsoft Teams**. The incident (tracked as `EX1227432`) ran from Feb 5 to Feb 12 and generated false XDR-style alerts such as “potentially malicious URL click was detected”; Microsoft attributed the impact to a **logic error** in newly updated heuristic detection, with additional tooling and a separate signature-system bug compounding and delaying rollback. Separately, Microsoft also worked an active **Microsoft Teams** outage/service degradation (tracked as `TM1233974`) affecting some users in the **United States and Europe**, with delays/failures sending and receiving chats that include inline media and issues joining meetings or signing in. A third item—abuse of **Atlassian Jira Cloud** notification emails to deliver localized scam lures and redirect victims to casino/investment fraud—describes a distinct threat campaign unrelated to the Microsoft 365 incidents and should be treated as a separate story.
1 months ago
Microsoft Teams to Enforce Messaging Safety Defaults
Microsoft is set to automatically enable key messaging safety features in Microsoft Teams for tenants using default configurations, starting January 12, 2026. The update will activate protections against weaponizable file types, real-time malicious URL detection, and a reporting mechanism for false positives, aiming to reduce the risk of malware and phishing attacks within enterprise collaboration environments. Organizations that have previously customized their messaging safety settings will not be affected by this change, as their preferences will remain in place. End-users will experience changes such as warning labels on suspicious URLs and blocked messages when attempting to share high-risk file types. The reporting feature allows users to flag incorrect security detections, helping Microsoft refine its threat detection algorithms. IT administrators are advised to review and update their Teams configurations and internal documentation before the rollout to ensure a smooth transition and maintain desired security postures.
1 months ago
Microsoft Teams External Domains Anomalies Report Security Feature
Microsoft is introducing a new security feature for its Teams collaboration platform called the "External Domains Anomalies Report," aimed at enhancing the detection of suspicious or risky interactions with external organizations. This tool, scheduled for rollout in February 2026, will provide IT administrators with behavioral analytics to identify unusual communication patterns, such as sudden spikes in message volume to specific external domains or interactions with previously unseen domains. The feature is designed to address the growing security challenges posed by increased external collaboration and remote work, offering actionable intelligence to help prevent data leaks, social engineering attacks, and unauthorized use of third-party services. The report will be available for standard multi-tenant cloud environments via the Teams web platform and will help organizations maintain a balance between productive cross-organization work and robust data protection. In addition to this new reporting capability, Microsoft continues to enhance Teams' security posture by warning users about malicious links, improving protections against unsafe file types, and introducing features to block unauthorized screen captures and streamline client performance. The External Domains Anomalies Report represents a proactive step in giving administrators early visibility into potential threats arising from external communications.
1 months ago