Microsoft: Anti-phishing rules mistakenly blocked emails, Teams messages
Summary
Microsoft has acknowledged that faulty anti-phishing rules in Exchange Online incorrectly quarantined legitimate emails and Teams messages. The issue was caused by heuristic detection rules that were designed to block credential phishing campaigns. Microsoft has since resolved the problem.
IFF Assessment
The identification and fixing of a faulty anti-phishing rule is ultimately beneficial for defenders as it improves email security and reduces false positives.
Severity
Defender Context
This incident highlights the challenges of balancing aggressive phishing detection with the need to avoid false positives. Defenders should review their email security configurations and consider tuning their anti-phishing rules to minimize disruptions to legitimate communication. Regularly monitoring quarantine activity for misclassified emails can also help to promptly identify and address similar issues.