Microsoft 365 Disruptions: Exchange Online False-Positive Phishing Blocks and Microsoft Teams Service Degradation
Microsoft reported a Microsoft 365 security-service failure in which Exchange Online anti-phishing heuristics incorrectly classified thousands of legitimate URLs as credential-phishing, leading to quarantined emails, blocked link access, and removal of messages via automated actions (including ZAP) across email and Microsoft Teams. The incident (tracked as EX1227432) ran from Feb 5 to Feb 12 and generated false XDR-style alerts such as “potentially malicious URL click was detected”; Microsoft attributed the impact to a logic error in newly updated heuristic detection, with additional tooling and a separate signature-system bug compounding and delaying rollback.
Separately, Microsoft also worked an active Microsoft Teams outage/service degradation (tracked as TM1233974) affecting some users in the United States and Europe, with delays/failures sending and receiving chats that include inline media and issues joining meetings or signing in. A third item—abuse of Atlassian Jira Cloud notification emails to deliver localized scam lures and redirect victims to casino/investment fraud—describes a distinct threat campaign unrelated to the Microsoft 365 incidents and should be treated as a separate story.
Timeline
Feb 17, 2026
Microsoft mitigates Teams outage by reverting configuration change
About an hour after reporting the Teams disruption on 2026-02-17, Microsoft said the impact was remediated by reverting a configuration change. The company attributed the outage to a subsection of Teams caching infrastructure falling below performance thresholds.
Feb 17, 2026
Microsoft reports Teams service degradation in the US and Europe
On 2026-02-17, Microsoft disclosed incident TM1233974 affecting some Teams users in Europe and the United States, causing access delays and failures, problems joining meetings, signing in, and issues sending or receiving chat messages with inline media. Microsoft also noted separate concurrent Teams incidents affecting meeting joins via the Join button and Copilot Studio agent updates in Teams.
Feb 12, 2026
Microsoft fully resolves Exchange Online and Teams false-positive blocking incident
On 2026-02-12, Microsoft said it fully resolved incident EX1227432 after rollback efforts were delayed by a separate bug in security signature systems. The company later published a preliminary post-incident report and said a final report would follow within five business days.
Feb 5, 2026
Faulty anti-phishing rule update begins misclassifying legitimate URLs
On 2026-02-05, a logic error introduced after an update to Exchange Online heuristic detection rules caused thousands of legitimate URLs to be incorrectly classified as phishing. The issue triggered automated URL blocking, message removals, quarantining of legitimate emails, and false security alerts across Exchange Online and Microsoft Teams.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Microsoft 365 message security changes: Teams user reporting expansion and Exchange Online false-positive quarantines
Microsoft is expanding end-user reporting capabilities in **Microsoft Teams** by enabling **Defender for Office 365 Plan 1** customers to report suspicious messages directly in Teams (Roadmap ID `531760`), a capability previously limited to Plan 2. The feature is intended to strengthen collaboration-platform defenses by letting users classify messages as **Security Risk** (suspected phishing/malware/spam) or **Not a Security Risk** (false positives), providing additional signals to SOC workflows and improving detection for chat-based social engineering such as **BEC-style** lures delivered via Teams; the rollout is expected to complete by late March 2026 and requires administrative enablement. Separately, Microsoft acknowledged an **Exchange Online** service issue in which legitimate emails were incorrectly marked as phishing/spam and quarantined, disrupting some users’ ability to send/receive email. Microsoft attributed the false positives to a **new URL rule** that misclassified certain legitimate URLs/domains as malicious due to evolving detection criteria; some previously quarantined messages may begin reappearing as mitigations roll out, but other emails may remain quarantined until the fix is fully deployed, and affected organizations are advised to review quarantine for missing legitimate mail.
1 months ago
Microsoft cloud service disruptions affecting Microsoft 365, Exchange Online, and Windows Update/Store
Microsoft reported multiple **service-impacting incidents** across its cloud ecosystem. Administrators in **North America and Canada** experienced an outage and degraded performance in the **Microsoft 365 admin center**, with some users also unable to access the *M365 app* or raise support tickets; Microsoft said it was analyzing telemetry, usage patterns, and **CPU utilization**, and reviewing user-provided **HAR files** to isolate the root cause. Separately, **Exchange Online** quarantined legitimate messages after an updated **URL rule** incorrectly marked some URLs as phishing, disrupting email flow for affected customers while Microsoft worked to release quarantined mail and unblock legitimate URLs. In another disruption, Microsoft attributed **Windows Update** and **Microsoft Store** failures/timeouts (notably impacting Windows 11 users) to a **utility power interruption** at a **West US datacenter**, which cascaded into issues with **Azure storage clusters** supporting content delivery; backup power engaged and power was later stabilized, but service recovery required additional remediation beyond restoring electricity.
1 months ago
Microsoft 365 Service Incident and Separate Windows/Outlook Update Issues
Microsoft reported a service incident impacting **Microsoft 365** core services, with users experiencing connectivity issues and service degradation across **Exchange Online**, **Microsoft Teams**, and the broader M365 suite. The incident was tracked as `MO1220495`, with Microsoft stating it was still in the *investigating/diagnostic* phase and providing no estimated time to resolution; organizations were directed to monitor the Microsoft 365 Service Health Dashboard for tenant-specific impact details. Separately, Microsoft published guidance for a client-side stability issue where the classic **Outlook desktop** app can freeze/hang after installing recent Windows security updates (notably `KB5074109`, and also `KB5073724`), particularly affecting POP accounts and scenarios where Outlook `PST` files are stored on cloud-backed storage such as **OneDrive**. Recommended mitigations included using webmail, moving `PST` files off OneDrive, or uninstalling the problematic updates while Microsoft investigates. A third item describing “Microsoft data breach” and “zero-day vulnerabilities” is largely a repackaged Patch Tuesday/vulnerability roundup and does not substantively align with the M365 service incident or the Outlook-freeze regression.
1 months ago