Executive Summary

Publication Date: July 5, 2024

This report details the service disruption experienced by Microsoft Exchange Online beginning on June 20, 2024, where legitimate emails were incorrectly flagged as phishing and subsequently quarantined. The incident, which persisted for at least two weeks, was caused by a change in Exchange Online’s phishing detection system that misidentified certain domain creation dates, resulting in widespread false positives. Microsoft acknowledged the issue, classified it as a service degradation, and initiated a long-term fix, but user reports indicate that the impact continued beyond the initial remediation efforts. This report provides a comprehensive analysis of the incident, including the technical root cause, timeline, service and business impact, customer communications, and lessons learned.

Incident Timeline

The incident began on Thursday, June 20, 2024, at 11:52:29 PM UTC, when legitimate emails containing specific URLs were first flagged as phishing and quarantined by Exchange Online. Microsoft officially acknowledged the issue on Friday, June 21, 2024, at 10:16:56 AM UTC, classifying it as a service degradation. By 12:19:26 PM UTC on June 21, Microsoft announced that a long-term fix was being deployed. Despite these efforts, user reports and forum activity confirm that the issue persisted, with ongoing disruptions reported as late as July 4, 2024. Throughout this period, Microsoft provided regular updates via their service health dashboard and Q&A forums, advising customers on interim mitigation steps and the status of remediation efforts.

Technical Root Cause

The root cause of the disruption was a recent change in Exchange Online’s phishing detection system. This change caused domain creation dates to be incorrectly identified as newly created, which in turn triggered reputation issues within the anti-phishing algorithms. As a result, any email containing URLs with the affected domains was flagged as phishing and quarantined, regardless of the legitimacy of the message. Microsoft later clarified that an updated URL rule, intended to enhance detection of sophisticated spam and phishing attempts, was responsible for the incorrect quarantining of legitimate emails. The technical misconfiguration led to a significant number of false positives, impacting a broad range of users and organizations.

Service Impact Analysis

The service impact was classified by Microsoft as both a “service degradation” and an “incident,” indicating a widespread and noticeable disruption. Any Exchange Online user whose messages included URLs with the affected domains was at risk of having their emails incorrectly flagged and quarantined. The issue was global in scope, as evidenced by user reports from multiple regions and organizations. The duration of the impact extended from June 20, 2024, through at least July 4, 2024, with some users continuing to experience issues beyond the initial deployment of the long-term fix. The severity of the incident was underscored by the volume of legitimate business emails delayed or blocked, affecting critical communications and workflow.

Customer Impact

Customers experienced significant disruption to their email communications, with legitimate messages being quarantined and delivery delayed. This affected both senders and recipients, leading to missed or delayed business correspondence, increased support requests, and the need for manual review of quarantined emails. Microsoft’s interim advice included reviewing quarantined messages, adjusting anti-phishing policies, and utilizing the Report Phishing add-in to flag false positives. Despite these measures, many organizations reported ongoing issues, highlighting the challenge of restoring full service and trust in the platform’s filtering mechanisms.

Response and Recovery

Microsoft responded by developing and initiating the deployment of a long-term fix as of June 21, 2024. Their efforts focused on repairing the detection issues, releasing quarantined emails, and unblocking legitimate URLs. Communication with customers was maintained through service health alerts and forum updates, providing guidance on interim mitigation and status updates on the remediation process. Customers were encouraged to review and adjust their anti-phishing policies and to report false positives to aid in the resolution. Despite these actions, the persistence of user reports into July 2024 indicates that full recovery was gradual and required ongoing attention.

Business Impact

The business impact of the incident was substantial. Organizations relying on Exchange Online for critical communications faced delays and disruptions, with legitimate emails being blocked or delayed for extended periods. This led to missed business opportunities, delayed project timelines, and increased workload for IT and support teams tasked with managing quarantined messages and user concerns. The incident also raised concerns about the reliability of automated phishing detection systems and the potential for similar disruptions in the future, prompting some organizations to review their email security strategies and contingency plans.

Lessons Learned

This incident highlights the risks associated with automated security updates in large-scale email platforms like Exchange Online. The misconfiguration of phishing detection rules can have far-reaching consequences, affecting a global user base and disrupting essential business functions. Effective communication, rapid deployment of fixes, and clear guidance for customers are critical in managing such incidents. Additionally, the need for robust testing and validation of security updates before deployment is underscored by the prolonged impact experienced in this case. Organizations are advised to maintain flexible anti-phishing policies and to monitor service health communications closely to respond quickly to emerging issues.

References

BleepingComputer (Feb 9, 2026): “Microsoft is investigating an ongoing Exchange Online issue that mistakenly flags legitimate emails as phishing and quarantines them. The incident began on February 5 and continues to affect Exchange Online customers, preventing them from sending or receiving emails. ... Over the weekend, Microsoft confirmed that the issue is caused by a new URL rule that incorrectly flags some URLs as malicious and the emails as phishing attempts. ... Microsoft is working to release quarantined emails and said that affected users may begin to see previously flagged messages in their inboxes.”

Microsoft Q&A (June–July 2024): “Root cause: A recent change caused domain creation dates to be identified as newly created, which is causing reputation issues with our phishing detection systems, and any messages containing the URLs with the affected domains are being flagged as phishing and quarantined.” “We've completed development of the long-term fix and have initiated the deployment. Along with this deployment, we're repairing the associated detection issues to fully remediate impact. We'll provide a completion timeline when one becomes available.” “Any user with messages including the URLs with the affected domains may be impacted by this event.”

Microsoft Service Health Dashboard (June 21, 2024): “Some users' legitimate email messages are being marked as phish and quarantined in Exchange Online. We've determined that the URLs associated with these email messages are incorrectly marked as phish and quarantined in Exchange Online due to ever-evolving criteria aimed at identifying suspicious email messages, as spam and phishing techniques have become more sophisticated in avoiding detection.”

About Rescana

Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and mitigate risks across their vendor ecosystem. Our platform delivers actionable insights, continuous monitoring, and robust reporting to support effective risk management and compliance. For more information or to discuss how we can support your organization’s risk management needs, please contact us at ops@rescana.com.