19-05-2021 10:44:01 AM (BST)
Issue Reported: 10/05/2021 06:04:00 PM
Microsoft Reference : MO255463
Issue Status: RESOLVED
Users may experience multiple issue related to email flow, links within email messages and the Microsoft Defender portal
More info: Impacted scenarios include, but are not limited to:
– Users may have been unable to receive emails that contained URLs from legitimate domains.
– Users may have noticed legitimate messages were getting quarantined or sent to junk.
– Users were unable to access links within emails that were incorrectly identified to be risky.
– Users may have become blocked from sending emails if their messages were incorrectly detected as spam or phish.
– Admins may have experienced delays with Automated Investigations in Microsoft Defender for Office 365 (MDO) before the service was disabled to alleviate impact.
– Admins would have seen alert reporting latency within the Microsoft Defender 365 portal before the service was disabled to alleviate impact. This was due to the alert ingestion service working through an unexpectedly large queue of erroneous alerts coming from the incorrectly blocked URLs.
– After all services were re-enabled, admins may have seen stale false positive alerts within Microsoft Defender 365 portal. Microsoft provided instructions to manually remove these alerts from the portal in the “More info” section of service incident MO255463 on Thursday, May 13, 2021.
Admins may have also experienced ancillary impact scenarios related to this event:
– An error caused the Quarantine Log queue to process message state changes for emails released from quarantine slower than expected. As a result, admins may have seen previously released emails still listed as quarantined in the Microsoft Defender 365 portal quarantine UI.
– On Thursday, May 13, 2021, we identified that a portion of emails that were still showing as quarantined were originating from a subset of URLs that were not properly unblocked and released during the initial event. Admins may have seen additional delays for these messages to be de-listed from quarantine status in the Microsoft Defender 365 portal quarantine UI.
This is an amalgamation of incidents and users may have previously seen these impacts reported under EX255432 and EX255435.
Scope of impact: This could potentially impact any user.
Final Update: Microsoft have completed processing the change backlog and confirmed that newly released messages are no longer appearing as quarantined within the Microsoft Defender 365 portal quarantine UI. Our continued monitoring of the service environment has shown no further impact from this event.