Microsoft 365 Alert – Service Degradation – Microsoft Defender XDR – Some users’ email messages are incorrectly soft-deleted by Microsoft Defender automated remediation – ONGOING

13/02/2026 09:20:00 AM

NHSmail Reference: INC46749356

Microsoft Reference: DZ1231212

Issue Status: ONGOING

Issue Description: Users’ email messages are incorrectly soft-deleted by Microsoft Defender automated remediation.

More info: Admins can manually reverse the results of each investigation in the Microsoft Defender XDR portal to resolve the issue.

This issue is specific to the impact window of Wednesday, February 11, 2026, at 8:20 PM UTC and Thursday, February 12, 2026, at 12:25 AM UTC.

Current Update: 16/02/2026 09:05:00 AM – Microsoft are in the final stages for processing the results of the affected email messages. They are anticipating the this process will be complete by their next scheduled update.

Scope of impact: Your organization is affected by this event, and some users’ email messages are incorrectly soft-deleted by Microsoft Defender automated remediation. This information may be updated as our investigation continues.

Root cause: A recent surge in malicious activity involving a URL-redirection service influenced our machine learning (ML) model and resulted in some legitimate URLs that redirected through this service to be blocked during time-of-click evaluation. While this issue has been mitigated by adding the affected URLs to the ML model’s allow list, there remains a number of email messages which contained the URL and were automatically soft-deleted.

Next update by: Monday, February 16, 2026, at 5:00 PM UTC