Microsoft: Exchange Online mistakenly tags emails as malware
Microsoft is investigating an Exchange Online false positive issue causing emails containing images to be wrongly tagged as malicious and sent to quarantine.
“Users’ email messages containing images may be incorrectly flagged as malware and quarantined,” Microsoft said in a service alert posted on the Microsoft 365 admin center two hours ago.
“We’re reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan.”
Tracked under EX873252, this ongoing service degradation issue seems to be widespread, according to reports from system administrators, and it also impacts messages with image signatures.
“Seems to only be affecting our outbound traffic and specifically for replies and forwards of previously external emails,” one admin said.
“For us, it was both inbound and intra-org. Inbound only would have been much easier for me to deal with. They also basically tagged our intra as inbound from what I saw in tbr message header,” another one added.
Redmond has yet to reveal what regions are impacted by this issue and provide mitigation advice for impacted customers until the false positive problems are resolved.
In October 2023, Microsoft addressed a similar issue caused by a bad anti-spam rule that flooded Microsoft 365 admins’ inboxes with blind carbon copies (BCC) of outbound emails mistakenly flagged as spam.
Update August 26, 13:00 EDT: Microsoft has taken measures to move legitimate emails mistakenly tagged as malicious out from quarantine.
“We identified an issue affecting our malware detection systems. We’ve implemented a mitigation to unblock legitimate emails that were mistakenly quarantined. The replay of impacted emails is in progress,” Microsoft said.
Update August 26, 15:20 EDT: Microsoft says the issue has been resolved, and all affected emails have been quarantined.
“We’ve confirmed this issue is resolved after implementing a mitigation within the service. Telemetry shows over 99% of impacted emails have been unblocked and automatically replayed,” the company said.