Back to All Scenarios
PASSEDserver / exchange_mail_queue
Exchange Mail Queue Growing — Transport Frozen
The Exchange 2019 Hub Transport service freezes after a malformed email triggers an anti-malware scanning loop. The mail queue grows to 15,000 messages. Internal and external email delivery stops completely. Users unaware until critical business emails bounce.
Pattern
EXCHANGE_EVENT
Severity
CRITICAL
Confidence
92%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | EXCHANGE_EVENT | EXCHANGE_EVENT | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 22 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
Exchange 2019 CU14. Hub Transport role. Anti-malware agent enabled. Malformed email with recursive MIME attachment. Queue: 15,000 messages and growing. Poison message queue engaged.
Injected Error Messages (2)
Exchange transport queue critical — MSExchangeTransport service: 15,247 messages queued, transport pipeline frozen, anti-malware agent stuck in scanning loop on message ID <malformed@spam.net>, Event ID 1035: FIPFS scan timeout, poison message queue: 3 items
Exchange mail delivery halted — OWA showing 'message pending delivery' for all outbound email, NDR generation backing up, users reporting emails stuck in Outbox for 2+ hours, external partners reporting non-delivery
Neural Engine Root Cause Analysis
The Exchange transport pipeline is frozen due to the anti-malware agent being stuck in an infinite scanning loop on a malformed message (malformed@spam.net). The FIPFS (Forefront Protection) scan timeout (Event ID 1035) indicates the anti-malware engine cannot process this message, causing the entire transport queue to back up with 15,247 messages. The poison message queue contains 3 items that are likely preventing normal message flow, creating a cascading failure affecting the entire Exchange transport service.
Remediation Plan
1. Stop MSExchangeTransport service to halt further processing. 2. Clear poison message queue by removing the 3 problematic messages. 3. Manually remove or quarantine the malformed message (malformed@spam.net) from the transport pipeline. 4. Restart FIPFS/anti-malware service to reset scanning engine. 5. Restart MSExchangeTransport service to resume normal operations. 6. Monitor queue levels to ensure messages begin processing normally.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjivr201urobqeibbuwf5a