Full Report
Microsoft is working to address an ongoing Exchange Online outage that is preventing customers from accessing their mailboxes and calendars. [...]
Analysis Summary
# Incident Report: Microsoft Exchange Online Service Outage
## Executive Summary
On March 16, 2026, Microsoft experienced a significant service disruption affecting Exchange Online and Microsoft 365 Copilot. The incident resulted in widespread inability for users to access mailboxes and calendars across multiple connection protocols, including desktop and web clients. Early investigation suggests the cause was an internal infrastructure configuration issue rather than an external cyberattack.
## Incident Details
- **Discovery Date:** March 16, 2026, 06:42 AM UTC
- **Incident Date:** March 16, 2026
- **Affected Organization:** Microsoft (and global customers using M365)
- **Sector:** Technology / Cloud Service Provider
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 16, 2026 (Early morning UTC)
- **Vector:** N/A (Internal Infrastructure Failure)
- **Details:** The incident appears to be a service degradation caused by inefficient traffic processing within Microsoft’s service infrastructure.
### Lateral Movement
- **N/A:** No unauthorized lateral movement was reported; the issue was localized to service infrastructure performance.
### Data Exfiltration/Impact
- **Impact:** Significant disruption to email communications and AI-assisted workflows. Users were unable to reach the Office.com portal, Exchange ActiveSync, and Copilot web clients.
### Detection & Response
- **06:42 AM UTC:** Microsoft publicly acknowledged reports of connectivity issues via social media and the Admin Center (EX1253275).
- **Update:** Microsoft identified specific service infrastructure sectors failing to process traffic efficiently.
- **Mid-day:** Configuration changes were deployed to remediate the impact, though some users experienced delayed recovery.
## Attack Methodology
*Note: Based on current telemetry, this was a service outage/reliability incident, not a security breach involving a threat actor.*
- **Initial Access:** N/A
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Resource Exhaustion / Service Degradation (Unintentional configuration error).
## Impact Assessment
- **Financial:** Potential SLA credit claims from enterprise customers; indirect costs due to lost global productivity.
- **Data Breach:** None reported; no unauthorized access to data was indicated.
- **Operational:** Severe; loss of access to email, calendars, and M365 Copilot AI services.
- **Reputational:** Moderate; repeated outages in core productivity suites impact brand trust in cloud reliability.
## Indicators of Compromise
*No malicious IOCs were identified. Observed behavioral indicators included:*
- **Behavioral:** HTTP 500-series errors on office[.]com.
- **Behavioral:** Connection timeouts for Exchange ActiveSync and Outlook Desktop.
- **Behavioral:** "Something went wrong" error messages on the Office.com web portal.
## Response Actions
- **Containment:** Redirected traffic away from inefficiently processing infrastructure.
- **Eradication:** Applied configuration changes to service infrastructure (MO1253428).
- **Recovery:** Monitoring service telemetry to ensure sustained recovery and assessing the health of Copilot web endpoints.
## Lessons Learned
- **Key Takeaways:** Even decentralized cloud services have critical infrastructure chokepoints that can cause cascading failures across multiple product lines (Exchange and Copilot).
- **What could have been done better:** Initial telemetry suggested recovery earlier than what was experienced by the end-user base, indicating a gap between backend health metrics and actual user experience.
## Recommendations
- **Redundancy:** Maintain emergency offline access or local backups for critical business communications.
- **Communication:** Organizations should have a secondary, non-Microsoft communication channel (e.g., Slack or Zoom) to coordinate during M365 outages.
- **Diversification:** Use application-based clients (Teams Desktop, Outlook Mobile) during web-portal outages as they may utilize different authentication or traffic paths.