Microsoft addressed a problematic anti-spam rule that inundated Microsoft 365 administrators’ inboxes with blind carbon copies (BCC) of outgoing emails mistakenly flagged as spam. The issue, identified as EX682041, resulted in Exchange Online users globally experiencing false positive incidents, where all emails directed to external addresses were incorrectly marked as spam.
In response to the situation, Microsoft, through its official Microsoft 365 Status account on Twitter, acknowledged the problem, stating, “We’re investigating an issue that led to admins receiving an unexpected surge in copies of outbound emails sent to external parties from other users in their organization.” The company confirmed disabling a rule change responsible for legitimate emails being erroneously categorized as spam and reported ongoing progress in resolving the issue.
According to Microsoft’s estimations, the anti-spam problems commenced at approximately 09:40 AM PDT and were fully resolved 14 hours later. During the mitigation process, the company assured affected tenants that emails inaccurately labeled as spam were also cleared from quarantine.
Administrators assigned to receive copies of emails flagged as potential outbound spam or high-risk delivery mail under default alert policies were particularly affected. Microsoft clarified in the admin center that, during the reprocessing efforts, some admins may have experienced a temporary impact in the form of a secondary stream of duplicate inbound notification messages within their inboxes. However, these duplicates were not indicative of actual email redelivery but were solely intended to rectify notifications directed to the spam mailbox. After extensive monitoring and analysis, Microsoft confirmed the resolution of this issue.
To prevent future occurrences, administrators can disable the “Send a copy of suspicious outbound” setting for the default outbound spam policy by following these steps:
- Visit https://security.microsoft.com/antispam
- Choose the Anti-Spam outbound policy (Default)
- Uncheck “Send a copy of suspicious outbound messages.”
- Click ‘Save’
While Microsoft assured the removal of false-positive spam messages from quarantine, administrators are advised to check if any users were added to the blocked senders list. Users blocked due to the anti-spam false-positive issue can be reinstated from the Restricted Entities page in the Microsoft 365 Defender portal. Microsoft emphasized that, under normal circumstances, all restrictions should be lifted within one hour, with the possibility of a longer wait due to transient technical issues but not exceeding 24 hours.