Microsoft mistake blows up admins’ inboxes with fake malware alerts

Many administrators have had a trying Monday after getting spammed out with false malware reports by Microsoft.

In the last hour the Microsoft 365 service center put out an alert on Xitter, oddly, even before sending out the customary 365 Service Alert email, users complained. Others pointed out that the issue was flagged up on reddit more than two hours before Microsoft got around to alerting customers.

“We’re investigating an issue in which some users’ email messages may be incorrectly flagged as malware and quarantined. More info can be found in the admin center under EX873252,” Microsoft posted.

“We identified an issue affecting our malware detection systems. We’ve implemented a mitigation to unblock legitimate emails that were mistakenly quarantined. The replay of impacted emails is in progress.”

For the moment it seems admins will have to manually unblock legitimate emails. Given the volume of material, and the need for care not to let actual malware through, this might take some time. It also appears that the original EX873252 article has been taken down, although you can see it here.

The issue appears to have kicked off around 0900 ET (1300 UTC), and Britain’s National Health Service issued an alert a few hours later. Redmond has reportedly said it is fixing the problem but, while many are reporting the flood of false positives has eased, it doesn’t appear that the issue is fully resolved as yet.

One amateur sysadmin sleuth suggests it’s down to an issue with the Microsoft Defender Threat Explorer and the PowerShell Get-QuarantineMessage cmdlet.

We’ll update this piece when there’s a solid statement from Microsoft. ®

READ MORE HERE