Exchange Online Mistakenly Flags Legitimate Emails as Spam
Microsoft has identified a significant issue affecting Exchange Online, where authentic emails are mistakenly categorized as spam. This problem is attributed to an aggressive URL-detection rule that has resulted in legitimate business messages being quarantined as potential phishing attempts. A fix is currently being implemented, but outcomes vary across different organizations as quarantined emails are gradually released.
Understanding the Quarantine Issue
According to Microsoft, a newly enforced URL classification rule is incorrectly identifying trustworthy links as malicious. This misclassification has increased the risk scores of affected messages, which consequently directs them to quarantine. The company is working on adjustments to reduce this collateral damage while still protecting users from genuine threats.
What to Do When Emails Are Quarantined
For those impacted by this issue, a few steps can help recover missing emails safely:
- Access the Quarantine page in the Microsoft Defender portal associated with your work or school account.
- Filter quarantined messages by categories such as Phish or High Confidence Phish for easier review.
- Inspect the headers, authentication results, and body content before releasing any messages.
It is essential only to release verified messages. If there’s uncertainty, contact the sender through a different channel.
Admin Guidelines for Managing Quarantine
If you are an administrator, consider the following strategies:
- Enable end-user quarantine notifications so users are aware of pending messages.
- Allow users to release low-confidence spam while keeping high-confidence phishing emails gated for admin approval.
- Utilize Message Trace in the Exchange admin center to track whether messages were quarantined or dropped.
Additionally, ask trusted partners to resend any vital communications, as some emails may be delayed in processing.
Strategies for Long-Term Management
As the resolution is rolled out, the following practices can mitigate future issues:
- Implement targeted allow rules for business-critical senders to bypass spam filters.
- Add reliable URLs to the Tenant Allow/Block List in Microsoft Defender to minimize false flags.
- Maintain proper outbound domain authentication with SPF, DKIM, and DMARC to reduce the risk score for emails.
Understanding Misfires in Email Security
Email security filters can sometimes misclassify messages due to the sheer volume of spam, which typically constitutes around 85% of global email traffic. This challenge requires a balance between preventing attacks and ensuring legitimate campaigns are not misidentified. Reports have shown that phishing and social engineering remain significant threats, emphasizing the need for robust security measures.
Next Steps
As Microsoft continues to deploy its fix, it is crucial to monitor the Microsoft 365 Service health dashboard for updates. Expect emails to gradually return to inboxes, and ensure all notifications about quarantined messages remain active. By narrowing any temporary rules and reporting false positives back to Microsoft, organizations can maintain business continuity while safeguarding against potential threats.
