Microsoft has quietly fixed a long-running network anomaly that caused traffic meant for the test-only domain example.com to be routed to servers belonging to a Japanese electronics firm, according to a detailed investigation by Ars Technica. The issue affected parts of Microsoft’s own cloud infrastructure and appears to have persisted for several years before being noticed publicly.
The domain example.com is reserved under internet standards specifically so developers and engineers can safely use it for testing without sending traffic to real organizations. It is not supposed to resolve to any commercial service. However, users inside Microsoft networks discovered that Outlook’s automatic email configuration system was directing example.com email setup attempts to subdomains of sei.co.jp, a domain owned by Sumitomo Electric in Japan.
The misrouting stemmed from Microsoft’s autodiscover service, which is designed to help email clients automatically locate mail servers. When users attempted to configure test email addresses like email@example.com, Microsoft’s systems returned server settings pointing to Japanese mail servers, meaning test credentials could have been transmitted outside Microsoft’s network.
Security researchers who examined the behavior described it as a likely configuration error rather than a malicious action. Still, the implications raised eyebrows, as it demonstrated that a domain explicitly reserved to prevent exactly this kind of problem was mishandled inside one of the world’s largest cloud providers.
Microsoft initially offered no explanation for why the routing existed. After Ars Technica published its findings, the company removed the behavior entirely. Instead of correcting the routing logic, Microsoft appears to have disabled the relevant validation endpoint altogether, causing requests to fail rather than return server information. Microsoft later confirmed it had updated the service so example.com no longer receives suggested server settings and said it is continuing to investigate.
What remains unanswered is how Sumitomo Electric’s domain was added to Microsoft’s internal configuration in the first place, and how long the issue went unnoticed. Some observers estimate the anomaly may have existed for as long as five years. While no evidence suggests data was intentionally collected or misused, the incident has renewed concerns about hidden configuration errors inside complex cloud platforms.
The episode also echoes past Microsoft security lapses, including a 2024 incident in which a forgotten test account was exploited by state-backed hackers. Together, these cases highlight how small oversights in large systems can persist for years and only surface by chance, raising broader questions about what other silent misconfigurations may still exist.