CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft Anti-Spam Service Misidentifies Safe URLs in Exchange Online and Teams

First reported
Last updated
1 unique sources, 3 articles

Summary

Hide ▲

Microsoft is addressing a bug in its anti-spam service that incorrectly blocks URLs in Exchange Online and Microsoft Teams, causing some emails to be quarantined. The issue began on September 5, 2025, affecting users who received false alerts about malicious URLs. Over 6,000 URLs have been identified as affected, and Microsoft is working to unblock them and recover any incorrectly flagged messages. The bug is due to the anti-spam engine mistakenly tagging URLs within other URLs as potentially malicious. Microsoft has deployed a partial fix and is continuing to address the impact. The incident has been classified as an event with noticeable user impact, although the exact number of affected customers and regions remains undisclosed. In a new development, on February 5, 2026, another incident began where Exchange Online mistakenly flags legitimate emails as phishing and quarantines them. This issue is caused by a new URL rule that incorrectly flags some URLs as malicious. Microsoft is working to release quarantined emails and confirm that legitimate URLs are unblocked. The incident, tracked by Microsoft under EX1227432, was not fully resolved until February 12. The root cause was a logic error in a detection system designed to identify new credential phishing attacks, which also led to false positive alerts. Other security tools within Microsoft's detection infrastructure amplified the incident's impact, and a separate bug in the company's security signature systems further delayed efforts to roll back the flawed detection rules. Microsoft will issue a final report within five business days of full resolution. Similar issues have occurred throughout the year, including a May 2025 incident where a machine learning model incorrectly flagged Gmail emails as spam in Exchange Online.

Timeline

  1. 09.02.2026 12:47 2 articles · 10d ago

    Exchange Online Flags Legitimate Emails as Phishing

    On February 5, 2026, a new incident began where Exchange Online mistakenly flags legitimate emails as phishing and quarantines them. This issue is caused by a new URL rule that incorrectly flags some URLs as malicious. The incident, tracked by Microsoft under EX1227432, was not fully resolved until February 12. The root cause was a logic error in a detection system designed to identify new credential phishing attacks, which also led to false positive alerts. Other security tools within Microsoft's detection infrastructure amplified the incident's impact, and a separate bug in the company's security signature systems further delayed efforts to roll back the flawed detection rules. Microsoft will issue a final report within five business days of full resolution.

    Show sources
    Open in new tab
  2. 09.09.2025 16:40 2 articles · 5mo ago

    Microsoft Anti-Spam Bug Affects Exchange Online and Teams

    On September 5, 2025, a bug in Microsoft's anti-spam service began incorrectly blocking URLs in Exchange Online and Microsoft Teams, causing some emails to be quarantined. Over 6,000 URLs have been identified as affected, and Microsoft is working to unblock them and recover any incorrectly flagged messages. The issue is due to the anti-spam engine mistakenly tagging URLs within other URLs as potentially malicious. Microsoft has deployed a partial fix and is continuing to address the impact. The incident has been classified as an event with noticeable user impact, although the exact number of affected customers and regions remains undisclosed.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

1Password introduces pop-up warnings for suspected phishing sites

1Password has added a new security feature that displays pop-up warnings for suspected phishing sites. This feature aims to help users identify and avoid malicious pages, preventing them from sharing account credentials with threat actors. The update is automatically enabled for individual and family plan users, while enterprise admins can manually activate it for employees. The move comes amid rising phishing threats, exacerbated by AI tools that facilitate more convincing and high-volume scams. A 2000-person survey by 1Password revealed that 61% of respondents had been successfully phished, and 75% do not check URLs before clicking links. In corporate environments, 33% of employees reuse passwords on work accounts, with nearly half having fallen victim to phishing attacks. 72% of survey participants admitted to clicking suspicious links, and more than 50% found it more convenient to delete suspicious messages than report them.

Open in new tab

Credential Theft and Account Compromise Surge in 2025

In 2025, cyber threat actors significantly increased their focus on credential theft, leading to a 389% rise in account compromise incidents, which constituted 55% of all attacks observed by eSentire. Credential access represented 75% of malicious activity, with two-thirds aimed at account takeovers and the remaining third used for phishing campaigns. Microsoft 365 accounts were primary targets. The use of phishing-as-a-service (PhaaS) kits, such as Tycoon2FA, FlowerStorm, and EvilProxy, fueled business email compromise (BEC) attacks. These kits are sophisticated, continuously updated, and designed to bypass modern security controls like multifactor authentication (MFA). While BEC attacks declined to less than 10% of malicious activity, they remained a top threat for companies, particularly in real estate, finance, retail, and construction. The report also highlighted a 14-fold increase in security incidents involving email bombing and IT Help Desk impersonation, a 300% spike in the ClickFix lure, and varying trends in cyber incidents across different industries.

Open in new tab

Misconfigured Email Routing Exploited for Internal Domain Phishing

Threat actors are exploiting misconfigured email routing and spoof protections to impersonate organizations' domains and distribute phishing emails that appear to originate internally. This tactic has surged since May 2025, targeting various industries with phishing-as-a-service (PhaaS) platforms like Typhoon2FA. Successful attacks can lead to credential theft and business email compromise (BEC). The issue arises when complex routing scenarios are configured without strict spoof protections, allowing spoofed emails to bypass security measures. Microsoft blocked over 13 million malicious emails linked to the Typhoon2FA kit in October 2025. Organizations are advised to enforce strict DMARC and SPF policies, properly configure third-party connectors, and ensure MX records point directly to Office 365 to mitigate this risk.

Open in new tab

86% Increase in Fake Delivery Websites Targeting Holiday Shoppers

An 86% surge in malicious postal service websites has been observed over the past month, heightening risks for consumers tracking holiday deliveries. Cybercriminals are exploiting the holiday shopping rush by sending convincing phishing messages mimicking legitimate delivery companies, often warning of delayed or suspended packages. These scams, primarily delivered via text message or email, aim to steal personal or financial information by tricking users into clicking malicious links.

Open in new tab

Notepad++ Update Mechanism Exploited to Deliver Malicious Payloads

Notepad++ version 8.8.9 was released to address a security flaw in its WinGUp update tool that allowed attackers to push malicious executables instead of legitimate updates. Users reported incidents where the updater spawned a malicious AutoUpdater.exe that collected device information and exfiltrated it to a remote site. The flaw was mitigated by enforcing updates only from GitHub and later by requiring signature verification for all updates. Security researchers noted targeted attacks against organizations with interests in East Asia, where Notepad++ processes were used to gain initial access. The attack involved an infrastructure-level compromise at the hosting provider level, allowing malicious actors to intercept and redirect update traffic. The incident commenced in June 2025 and continued until December 2025, with the Notepad++ website later migrated to a new hosting provider. The attackers were likely Chinese state-sponsored threat actors, selectively redirecting update requests from certain users to malicious servers. The hosting provider for the update feature was compromised, enabling targeted traffic redirections. The attackers regained access using previously obtained internal service credentials. Notepad++ has since migrated all clients to a new hosting provider with stronger security and plans to enforce mandatory certificate signature verification in version 8.9.2. The compromise involved shared hosting infrastructure rather than a flaw in the software's code, with attackers gaining access at the hosting provider level to intercept and manipulate traffic bound for the Notepad++ update endpoint. Direct server access by the attackers ended on September 2, 2025, but credentials associated with internal services remained exposed until December 2, 2025, allowing continued traffic redirection. The hosting provider confirmed no additional customers were affected. Notepad++ version 8.9.2 introduced a 'double-lock' design for its update mechanism, including verifying the signed installer from GitHub and checking the signed XML from the notepad-plus-plus.org domain. The auto-updater now removes libcurl.dll to eliminate DLL side-loading risk, removes unsecured cURL SSL options, and restricts plugin management execution to programs signed with the same certificate as WinGUp. Users can exclude the auto-updater during UI installation or deploy the MSI package with the NOUPDATER=1 flag. The threat group Lotus Blossom, linked to China, was involved in the compromise, using a custom backdoor called 'Chrysalis' as part of the attack chain. Notepad++ version 8.9.2 also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could result in arbitrary code execution in the context of the running application. An Unsafe Search Path vulnerability (CWE-426) exists when launching Windows Explorer without an absolute executable path, which may allow execution of a malicious explorer.exe if an attacker can control the process working directory.

Open in new tab