Admins may see a queue of false positive "Soft delete emails" action types in the Microsoft 365 Defender Action Center
Admins may see a queue of false positive "Soft delete emails" action types in the Microsoft 365 Defender Action Center
December 20, 1:03pm AST
December 20, 1:03pm AST
Title: Users' received email is incorrectly flagged as unsafe and becoming stuck in the Microsoft 365 Defender Action center
User Impact: Users' received email is incorrectly flagged as unsafe and becoming stuck in the Microsoft 365 Defender Action center.
Current status: We're investigating a potential issue and checking for impact to your organization. We'll provide an update within 30 minutes.
December 20, 1:17pm AST
December 20, 1:17pm AST
Current status: We're reviewing system logs and samples of affected messages to isolate the origin of this issue.
Scope of impact: Your organization is affected by this event, and any users' incoming messages may be impacted intermittently.
Next update by: Monday, December 20, 2021, at 7:00 PM UTC
December 20, 2:50pm AST
December 20, 2:50pm AST
Current status: We're continuing our review of the affected messages to understand what's causing this problem and formulate a remediation plan.
Scope of impact: Your organization is affected by this event, and any users' incoming email messages may be impacted intermittently.
Next update by: Monday, December 20, 2021, at 9:00 PM UTC
December 20, 4:52pm AST
December 20, 4:52pm AST
Current status: We're reviewing events in the the Microsoft 365 Defender Action center User Experience (UX) we suspect may be contributing to the problem to further our understanding of the impact scenario and determine our next troubleshooting steps.
Scope of impact: Your organization is affected by this event, and any users' incoming email messages may be impacted intermittently.
Next update by: Tuesday, December 21, 2021, at 7:00 AM UTC
December 21, 3:00am AST
December 21, 3:00am AST
Current status: We've determined this is residual impact from EX306353, due to Microsoft 365 Defender picking up stale data about false positive malicious URLs. We're reviewing options for manually canceling the actions that those false positives created in the Microsoft 365 Defender Action Center in order to clear the Action Center queue and release the affected email messages to recipients' mailboxes.
Scope of impact: This issue affects any users attempting to receive email messages that contain a URL that was falsely marked as malicious.
Root cause: This is residual impact from EX306353, due to Microsoft 365 Defender picking up stale data about false positive malicious URLs.
Next update by: Wednesday, December 22, 2021, at 7:00 AM UTC
December 21, 3:52am AST
December 21, 3:52am AST
More info: Users correctly see the email messages in their inboxes.
Admins can clear the Action Center queue by rejecting the false positive actions.
Current status: After further review, we've determined this isn't affecting users receiving email messages. Users correctly see the email messages in their inboxes. Admins can clear the Action Center queue by rejecting the false positive actions. In an effort to remediate the impact for admins, we're reviewing options for manually canceling the actions that the false positives created in the Microsoft 365 Defender Action Center in order to clear the Action Center queue.
Scope of impact: This issue affects any admins viewing the Microsoft 365 Defender Action Center.
Start time: Friday, December 17, 2021, at 1:34 PM UTC
Root cause: This is residual impact from EX306353, due to Microsoft 365 Defender picking up stale data about false positive malicious URLs.
Next update by: Wednesday, December 22, 2021, at 12:00 PM UTC
December 21, 6:06am AST
December 21, 6:06am AST
More info:
- Admins may experience latency in progression of MDO Investigations and actions.
- Users correctly see the email messages in their inboxes.
- Admins can clear the Action Center queue by rejecting the false positive actions.
Current status: We've determined the actions that the false positives had created in the Microsoft 365 Defender Action Center, are now automatically clearing. We're monitoring the queue as it automatically drains.
Scope of impact: This issue may affect any admin when viewing the Microsoft 365 Defender Action Center.
Root cause: This is residual impact from EX306353, due to Microsoft 365 Defender picking up stale data about false positive malicious URLs.
Next update by: Thursday, December 23, 2021, at 1:00 PM UTC
December 23, 8:11am AST
December 23, 8:11am AST
Current status: The queue is draining as expected and we're continuing to monitor it's progress.
Scope of impact: This issue may affect any admin when viewing the Microsoft 365 Defender Action Center.
Root cause: This is residual impact from EX306353, due to Microsoft 365 Defender picking up stale data about false positive malicious URLs.
Next update by: Monday, December 27, 2021, at 1:00 PM UTC
December 23, 11:30am AST
December 23, 11:30am AST
Title: Admins may have seen a queue of false positive "Soft delete emails" action types in the Microsoft 365 Defender Action Center
User Impact: Admins may have seen a queue of false positive "Soft delete emails" action types in the Microsoft 365 Defender Action Center.
Final status: We've observed the completion of the queue drain, and have received confirmation from your organization's representatives that impact has been fully remediated.
Scope of impact: This issue may have affected any admin when viewing the Microsoft 365 Defender Action Center.
Start time: Friday, December 17, 2021, at 1:34 PM UTC
End time: Thursday, December 23, 2021, at 3:30 PM UTC
Root cause: This issue was residual impact from EX306353, caused by Microsoft 365 Defender picking up stale data about false positive malicious URLs.
Next steps:
- We're analyzing performance data and trends on the affected systems to help prevent this problem from happening again.
This is the final update for the event.
December 23, 11:30am AST
December 23, 11:30am AST
Resolved