[German]Microsoft has been struggling with disruptions to its Microsoft 365 services and Exchange Online since February 2025, but is keeping quiet about the cause. I have received information that a bug or vulnerability in Microsoft Exchange Online has led to a catastrophic failure. I was told, a tenant administrator probably unintentionally triggered the deletion of mailboxes worldwide.
Advertising
Brief review of what has been disclosed so far
I first reported on the German blog in the article Microsoft 365 Störung (1. März 2025) about the increasingly severe disruptions since March 1, 2025. When the disruptions continued, I took this up in further blog posts (see end of article). Microsoft communicated an "accidental update" as the reason for the problems.
On March 6, 2025, I raised the question of the cause for this long disruption in the article Outlook also disrupted on March 6, 2025 – one week of problems is already remarkable – but could not yet provide any details. My request to Microsoft via the German press department on March 4, 2025 for a post-incident report and clarification as to why the cloud services were disrupted remained unanswered.
In the meantime, I received various observations from blog readers about very strange behavior in Exchange Online and Microsoft 365 applications. For example, several sources reported that "The mailbox doesn't exist" is reported for customers when emails are to be sent.
There are also rumors that some Exchange Online customers believe that mailboxes may have been compromised. In the blog post Vulnerability cause of Exchange Online and MS 365 problems since March 1, 2025? I referred to these "reports" and also reported on the (according to Microsoft closed) vulnerability CVE-2024-49035 in the Partner Portal.
Advertising
Is a vulnerability crashing Exchange Online worldwide?
On March 4, 2025, there was a strange contact request from an unnamed blog reader who wanted to talk to me about the "Exchange Online outage at the weekend" (March 1, 2025) and hinted a some rather explosive information. I made a phone call very late into the night on March 4 and noted down some information more or less "at the kitchen table".
Please note that the following statements are made with care and cannot be substantiated with screenshots etc. as everything has been deleted. My source I spoke with, under the condition to stay anonyme, was not directly involved in the incident outlined below, but was "well informed". And some of the following statements coincide with the picture that I have compiled and published from various sources in the text above (as well as in the linked blog posts). All information has been published after my conversation with my source. For me, all in all, the picture described by my source looks consistent.
Customer has had Exchange Online problems for a week
The story begins when a Microsoft 365 customer had been experiencing massive problems since February 2025 and the situation arose that he could no longer send any emails with Exchange Online in the last week of February.
An IT service provider looking after the customer had called in Microsoft support, but they were unable to solve the problems. This was the situation on Friday, February 28, 2025, the day before the disruption to Microsoft cloud services was first reported by me. This is also consistent with reports from blog readers who reported sporadic problems sending emails via Exchange Online from time to time in February 2025.
Junk folder fills up and blocks mailbox
The IT service provider, who is also the tenant administrator for the affected customer, made a strange discovery. On February 28, 2025, he noticed that 50,000 SPAM mails were "slipping through" on the tenant and the SPAM folder of the mailboxes was overflowing. Presumably a SPAM filter or Exchange Online Protection (EOP) had failed.
As there were now also quota warnings, the IT service provider tried to empty the SPAM folders in one of the tenant's mailboxes. However, this was not possible, so the service provider tried to empty the junk folder remotely using PowerShell. This was also rejected with an error message.
At this point, according to my source, the IT service provider created a support ticket on February 28, 2025 with the subject "Junk folder cannot be deleted". Microsoft support also contacted the IT service provider on the same day and stated that the contents of the junk folder could not be deleted either. This was followed by a promise to pass the support case on to second-level support.
Asked ChatGPT and got a ticket to hell
After the customer had been unable to receive emails for 4 to 5 days and Microsoft Support had been unable to help for a week, good advice was expensive. On Saturday, March 1, 2025, the IT service provider came up with the idea of asking Microsoft's AI solution ChatGPT "how to delete the junk folder in Exchange Online".
As it happens, ChatGPT also provided an alleged solution in the form of a PowerShell command sequence. At around 9:30 pm, my source told me, the (tired and probably annoyed) IT service provider copied the PowerShell command sequence from the ChatGPT window 1:1 into the PowerShell window of Exchange Online and had this command sequence executed in one go.
This was probably the "ticket to hell", if the IT service provider had entered the PowerShell commands individually in the PowerShell window, some of them would have been rejected with an error message, it was said.
Then it all escalated: immediately after the PowerShell sequence was executed, Office 365 stopped working, the source reports. At the same time, the IT service provider saw that the error messages in Exchange Online were skyrocketing. Something serious must have happened as a result of the PowerShell command sequence.
My source, also an IT service provider, told me, that he was sitting by chance in front of his computer late at that night on March 1, 2025 and had opened his own Exchange Online tenant in the administrator panel. At around 10 p.m., the person noticed that his own mailbox in the tenant had suddenly disappeared. A message then appeared saying "We are currently preparing a mailbox", followed by the message "We are currently setting up a mailbox", i.e. the missing mailbox had probably been set up again.
My source told me: "It looked like Microsoft started restoring Exchange Online mailboxes that no longer existed at that moment", which had probably just been deleted by the process described below.
On the one hand, this observation is in line with the observations of other blog readers, which I mentioned above in the text or in more detail in the blog post Vulnerability cause of Exchange Online and MS 365 problems since March 1, 2025? This observation is also relevant for assessing the following statements.
At this point, things get uncomfortable, because the IT service provider is sitting at the customer's tenant via remote session and has to realize that he can no longer access his Office 365 applications. And a few kilometers away is another person who has just discovered that their own mailbox in the Exchange Online tenant is gone.
Call from Microsoft support with threats
According to my source, the phone rang late on a Saturday evening at the IT service provider who had just deployed a PowerShell sequence in Exchange Online and was now sitting in front of the "ruins of his work". Microsoft Support answered on the other end and explained to the baffled IT person that he had "just been very lucky to have picked up the phone". "They were already in the process of informing the public prosecutor's office to carry out a police operation – in the neighboring country – and to send the officers to his house". This was garnished with the question of what the man was currently doing.
I was told, the IT service provider explained the situation outlined above (no mail received for 4-5 days, junk folder full, Microsoft support couldn't help, so asked ChatGPT and followed the advice it spat out). The answer from Microsoft Support, which was then reported to me by my source during the conversation, was that the IT service provider had just triggered the deletion of all Exchange Online mailboxes worldwide using the PowerShell command sequence.
You have to spell it word by word: Although the IT service provider was the global tenant administrator, he was only allowed to access its own tenant in Exchange Online. If he try things, that would be stupid, but an effect on other tenants should be impossible with a properly designed and implemented architecture. The tenant administrator should simply not have the appropriate permissions to reach other tenants.
I was told by my source that the IT service provider was accused by Microsoft of having caused "millions in damage". At the same time, there was a threat "not to let anything get out to third parties". And there was a request to sign a non-disclosure agreement (NDA) immediately.
According to my source, the person concerned refused to do so and mentioned that he would not sign anything until he had contacted his lawyer. I also learned that Microsoft Support was connected to the IT service provider's machine in a remote session and was shown the commands issued by ChatGPT. According to my source, Microsoft Support then deleted the chat history in the ChatGPT window so that this issue can no longer be documented.
As mentioned above, Exchange Online would have somehow rejected the individual commands in PowerShell with an error message. The command sequence unintentionally bypassed the PowerShell input validation. Something like an SQL command injection was unintentionally performed, which suddenly gave the PowerShell command sequence global rights and then had a cross-tenant effect – something that should never happen.
And this brings us back to the vulnerability CVE-2024-49035 in the partner portal mentioned above, where it was probably also possible to access content that was never allowed to be "touched" in this way. Whether it is the same or a different vulnerability is irrelevant here. As a tenant administrator, I have to assume that every action I take only affects my booked tenant and not other tenants worldwide.
Incalculable risks and unpleasant experiences
I was told that the person concerned was completely flattened for two days to recover from this shock and the threats from Microsoft Support. He then contacted both his lawyer and my source for advice.
If the facts of the case happened as reported (it is a statement from someone who knows someone), that would be incredible. From my point of view, the observations described are consistent with what I have learned from other sources and outlined in the text above. The sequence of events therefore sounds plausible – and why should someone tell me a hoax or such a phantasy story?
My conclusion: As a tenant administrator of Exchange Online or other Microsoft (cloud) services, you are working with a black box and have to rely on the provider to provide a secure environment. On the other hand, as a tenant administrator, you run the risk of suddenly "losing your house and yard" because one action "could cause millions in damage". That simply can't be the true.
And the question arises as to whether the incident may be GDPR-relevant for tenant administrators and must be reported to the data protection authority. After all, there is a suspicion that third parties could or even still can access mailboxes across tenants using similar PowerShell sequences. In the articles mentioned above, there are suspicions expressed by companies who believe that mailboxes have been compromised.
I first asked Microsoft on March 4, 2025 via their German press department for a post-incident report on the March 1, 2025 outage, which has so far gone unanswered. Good, they don't have to answer to me as a blogger.
Now, on March 12, 2025, before this post went online, I asked Microsoft again via their German press department for a statement on the above description. Till now I haven't received any reaction.
Similar articles:
Microsoft 365 Störung (1. März 2025)
Microsoft 365/Exchange Online outage from March 1st, 2025 still continues on 3/3/2025?
Outlook also disrupted on March 6, 2025
Vulnerability cause of Exchange Online and MS 365 problems since March 1, 2025?
Advertising
I am having difficulties transferring my wife's Skype to Teams. Her user I.D. arrangements have become messed up, seemingly by MS bungling. Her account is no longer usable when attempts to use Teams are made. I haven't a clue what the problem is.
Our Skype setups worked great.
I personally have no problems with my user I.D. I was responsible for creating both my wife's and my Skype user accounts. Now mine seems to be workable with Teams Free but my wife's is not.
Microsoft is losing it.
Zoom looks like a viable alternative because we will be starting Zoom with a clean sheet. MS seems to have made its user I.D. management ridiculously complicated.
Microsoft support doesn't call you, they send mails and you have to call them.
When you receive a call from Microsoft, it's usually some scammers trying to trick you.
Also, why would you, as an IT admin, give control of your computer to this Microsoft support person. Again sounds more of something a scammer would ask of you.
This story sounds too crazy and there are too much things that don't add up.
I don't believe this and I think you've gone down the wrong path reporting on things without any evidence.