Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Microsoft mistake blows up admins' inboxes with fake malware alerts

Legitimate emails misclassified in software snafu

Iain Thomson Mon 26 Aug 2024  //  19:45 UTC

Updated Many administrators have had a trying Monday after getting spammed out with false malware reports by Microsoft.

In the last hour the Microsoft 365 service center put out an alert on Xitter, oddly, even before sending out the customary 365 Service Alert email, users complained. Others pointed out that the issue was flagged on Reddit more than two hours before Microsoft got around to alerting customers.

"We're investigating an issue in which some users' email messages may be incorrectly flagged as malware and quarantined. More info can be found in the admin center under EX873252," Microsoft posted.

"We identified an issue affecting our malware detection systems. We've implemented a mitigation to unblock legitimate emails that were mistakenly quarantined. The replay of impacted emails is in progress."

For the moment it seems admins will have to manually unblock legitimate emails. Given the volume of material, and the need for care not to let actual malware through, this might take some time. It also appears that the original EX873252 article has been taken down, although you can see it here.

The issue appears to have kicked off around 0900 ET (1300 UTC), and Britain's National Health Service issued an alert a few hours later. Redmond has reportedly said it is fixing the problem but, while many are reporting the flood of false positives has eased, it doesn't appear that the issue is fully resolved as yet.

One amateur sysadmin sleuth suggests it's down to an issue with the Microsoft Defender Threat Explorer and the PowerShell Get-QuarantineMessage cmdlet.

We'll update this piece when there's a solid statement from Microsoft. ®

Updated at 2000 UTC on August 26

Microsoft claims the 365 issue is fixed in 99% of cases. "Telemetry shows over 99% of impacted emails have been unblocked and automatically replayed," it Xeeted.
Send us news
11 Comments

Copilot for Microsoft 365 might boost productivity if you survive the compliance minefield

Loads of governance issues to worry about, and the chance it might spout utter garbage

RansomHub-linked EDR-killing malware spotted in the wild

Also: Your external-facing NetSuite sites need a review; five popular malware varieties for Q2, and more

What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits

Google researchers note similarities, can't find smoking-gun link

Proof-of-concept code released for zero-click critical IPv6 Windows hole

If you haven't deployed August's patches, get busy before others do

Choose Your Own Adventure with Microsoft 365

You awake to find yourself in a dark room... with an empty wallet

Multiple flaws in Microsoft macOS apps unpatched despite potential risks

Windows giant tells Cisco Talos it isn't fixing them

Breaking the economy of trust: How busts affect malware gangs

It's hard to track down individuals, so why not disrupt the underground market itself?

SharpRhino malware targets IT admins – Hunters International gang suspected

Fake Angry IP Scanner will make you furious - or maybe remind you of how the Hive gang went about its banal business

Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets

Malware logs users' keystrokes, pilfers credentials, exfiltrates data

Bad apps bypass Windows security alerts for six years using newly unveiled trick

Windows SmartScreen and Smart App Control both have weaknesses of which to be wary

Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank

May even have targeted other malware gangs, and infosec researchers

UK Electoral Commission slapped for basic cybersecurity fails

It took 13 months to notice 40 million voters' data was compromised