Full Report
Microsoft is investigating and working to resolve Exchange Online mailbox access issues that have intermittently affected Outlook mobile and macOS users for weeks. [...]
Analysis Summary
# Incident Report: Exchange Online Connectivity Issues (EX1268771)
## Executive Summary
Microsoft is currently investigating persistent, intermittent mailbox access issues affecting Exchange Online users on Outlook mobile and macOS clients. The disruption, which has lasted several weeks, was initially attributed to a newly introduced virtual account configuration. Despite an attempted fix on April 1st, the issue remains unresolved, requiring ongoing restarts of the Notification Broker service.
## Incident Details
- **Discovery Date:** Mid-March 2026 (ongoing for weeks prior to April 3 report)
- **Incident Date:** Ongoing (March–April 2026)
- **Affected Organization:** Microsoft (Exchange Online)
- **Sector:** Technology / Cloud Service Provider
- **Geography:** Global (Affected regions not specifically disclosed)
## Timeline of Events
### Initial Access
- **Date/Time:** N/A (Not an external attack)
- **Vector:** Internal Configuration Change
- **Details:** Microsoft identified the root cause as a newly introduced "virtual account" within the service infrastructure.
### Lateral Movement
- *Not applicable: This incident is a service degradation/outage, not a security breach involving unauthorized lateral movement.*
### Data Exfiltration/Impact
- **Impact:** Intermittent inability for users to access mailboxes or sync data via mobile and macOS clients. No data exfiltration reported.
### Detection & Response
- **Detection:** Microsoft detected the issue via telemetry and tenant reports (tracked as EX1256020).
- **Response:**
- April 1: Microsoft flagged the issue as resolved.
- April 2-3: Following reports of ongoing impact, the incident was reopened under tag EX1268771.
- Mitigation: Ongoing restarts of the **Notification Broker service** on affected infrastructure.
## Attack Methodology
*Note: This incident is categorized as a service availability issue rather than a malicious attack.*
- **Initial Access:** N/A (Service Update/Configuration Change)
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Resource exhaustion or service failure within the Notification Broker service.
## Impact Assessment
- **Financial:** Indirect costs related to lost productivity for affected enterprise tenants.
- **Data Breach:** None. No unauthorized access to customer data reported.
- **Operational:** Significant disruption for users relying on Outlook for iOS/Android and the new Outlook for Mac.
- **Reputational:** Moderate; follows a series of recent Exchange Online outages (IMAP issues in Jan, Outlook Desktop issues in Nov).
## Indicators of Compromise
- **Network indicators:** hxxps[://]admin[.]microsoft[.]com (Official admin notifications)
- **File indicators:** N/A
- **Behavioral indicators:** Intermittent "Cannot access mailbox" errors specifically on mobile and Mac platforms; failure of push notifications or sync.
## Response Actions
- **Containment measures:** Isolation of affected infrastructure portions.
- **Eradication steps:** Rollback/modification of the "virtual account" configuration that triggered the failure.
- **Recovery actions:** Systematic restarts of the **Notification Broker service** to restore intermittent connectivity while a permanent fix is engineered.
## Lessons Learned
- **Regression Testing:** New service features (like the virtual account mentioned) require more rigorous testing across different client types (mobile vs. desktop) before global rollout.
- **Resolution Validation:** The initial "resolved" status for EX1256020 was premature, indicating a gap between internal telemetry indicators and actual user experience.
## Recommendations
- **Client Diversification:** Affected organizations should maintain access to Outlook on the Web (OWA) as a fallback, as it was not listed as impacted by this specific incident.
- **Monitoring:** Tenants should monitor health status via the Microsoft 365 Admin Center for updates on EX1268771.
- **Update Management:** Ensure Outlook mobile and macOS clients are updated to the latest versions to receive any client-side patches coordinated with the server-side fix.