Full Report
Microsoft is working to resolve a known issue that causes an anti-spam service to mistakenly block Exchange Online and Microsoft Teams users from opening URLs and quarantine some of their emails. [...]
Analysis Summary
# Incident Report: False Positive URL Blocking in Exchange Online and Teams
## Executive Summary
A configuration change related to Microsoft's anti-spam service resulted in a widespread false positive, causing Exchange Online and Microsoft Teams users to be blocked from accessing legitimate URLs or having emails incorrectly quarantined starting on September 5, 2025. The root cause was identified as the anti-spam engine incorrectly flagging URLs contained within other URLs as malicious. Microsoft is actively working to unblock over 6,000 identified URLs and recover impacted messages.
## Incident Details
- Discovery Date: September 5, 2025 (Date of first impact reporting)
- Incident Date: Began September 5, 2025
- Affected Organization: Microsoft (Affecting Exchange Online and Microsoft Teams tenants globally)
- Sector: Technology / Cloud Services
- Geography: Global (Implied by scope of service outage)
## Timeline of Events
### Initial Access
- Date/Time: September 5, 2025 (Start of impact)
- Vector: Internal system misconfiguration/Bug in Anti-Spam Engine
- Details: Anti-spam engine incorrectly tagged URLs contained within other URLs as potentially malicious.
### Lateral Movement
- Not Applicable. This was a widespread service anomaly/false positive, not a traditional external intrusion requiring lateral movement.
### Data Exfiltration/Impact
- Impact: Users could not open legitimate URLs; legitimate emails were incorrectly quarantined by the anti-spam service. Over 6,000 unique URLs were identified as affected initially.
### Detection & Response
- **Detection (Sept 5):** Admins began seeing alerts titled "A potentially malicious URL click was detected involving one user," despite URLs being safe.
- **Initial Response (Sept 5 onwards):** Microsoft identified over 6,000 affected URLs and began working to unblock them and replay quarantined messages. A previous configuration fix failed to resolve the issue.
- **Update (Sept 8):** Engineers deployed a fix to prevent new syncs from entering quarantine state. A new subset of URLs was identified as impacted, and work continued on residual issues and root cause analysis.
## Attack Methodology
- Initial Access: N/A (System Error/Misconfiguration)
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: N/A
- Exfiltration: N/A
- Impact: Faulty anti-spam models blocked legitimate service functionality (URL clicks and email delivery).
## Impact Assessment
- Financial: Not detailed, but expected due to service disruption.
- Data Breach: No confirmed data breach; impact was operational filtering.
- Operational: Significant disruption to users relying on URLs within emails and Teams communications; emails sent to quarantine; reduced legitimate message flow.
- Reputational: Negative impact due to repeated service anomalies involving false positives in their security stack (similar incidents occurred in March and May 2025).
## Indicators of Compromise
- **Behavioral indicators:** Alerts titled "A potentially malicious URL click was detected involving one user" despite safe URLs; legitimate emails moved to quarantine.
- **Internal Artifacts:** Over 6,000 specific URLs initially identified as being incorrectly flagged by the anti-spam engine.
## Response Actions
- **Containment measures:** Engineers deployed a fix to stop new syncs from entering the quarantine state.
- **Eradication steps:** Working to unblock the identified 6,000+ URLs and address the new subset discovered later.
- **Recovery actions:** Planning to "replay" messages to recover any emails or URLs that were incorrectly flagged and quarantined.
## Lessons Learned
- The anti-spam engine has demonstrated fragility, incorrectly flagging legitimate content (specifically nested URLs) due to recent configuration changes or model updates.
- Previous attempted fixes (e.g., changing the configured delay interval) were unsuccessful in resolving the core issue.
- This is the third major email filtering accuracy issue reported in 2025, suggesting ongoing challenges with machine learning models and configuration synchronization in the email security stack.
## Recommendations
- Conduct a thorough root cause analysis on the anti-spam engine logic that misinterprets 'URLs within URLs' to prevent recurrence.
- Implement more rigorous, layered testing (smoke testing and canary testing) following any changes to URL filtering or anti-spam configurations before full deployment.
- Improve the automated review/rollback process for false positive surges identified in monitoring systems.