Proofpoint has recently uncovered a concerning rise in the misuse of mailbox rules within Microsoft 365 following account takeovers. Notably, the company observed this tactic in nearly 10% of compromised accounts analyzed during the fourth quarter of 2025, signaling a growing trend in post-compromise cyber activities.
Instead of deploying malware or relying on external command-and-control systems, attackers increasingly exploit native Microsoft 365 features. Once they gain unauthorized access, they quickly create malicious mailbox rules that automatically forward emails to external addresses, delete messages, or redirect them to rarely monitored folders such as Archive or RSS Subscriptions. As a result, these actions help threat actors remain undetected while continuously monitoring sensitive communications.
Moreover, this technique enables attackers to suppress critical security alerts, including notifications related to suspicious login attempts or multi-factor authentication prompts. In some instances, even after victims reset their passwords, attackers still retain access to valuable data through these hidden rules.
According to Proofpoint, the speed of execution is particularly alarming. The analysis revealed that attackers often create malicious rules within seconds—sometimes as quickly as five seconds—after gaining access. This strongly suggests a high level of automation, likely driven by phishing kits or phishing-as-a-service platforms.
Interestingly, naming patterns of these rules also reveal a pattern. Many malicious rules carry simple symbols such as “.”, “…”, or “;”—a tactic researchers associate with template reuse across large-scale phishing campaigns.
Fraud tactics
One incident involved the compromise of an Accounting Specialist’s mailbox. An attacker created a rule named … that archived emails with the subject line “FW: Payment Receipt” and then used the account to send an internal phishing campaign to 45 colleagues.
The campaign led to the compromise of a second account belonging to the Chief Executive Officer’s Assistant. The attacker then created another rule to suppress emails about payroll enrolment and sent a fraudulent payroll request from the compromised mailbox.
By hiding both replies and security alerts, the mailbox rules helped the attacker maintain control of the conversation. The case shows how rule abuse can support internal impersonation and payment fraud without changing infrastructure outside the victim’s Microsoft 365 environment.
Thread hijacking
In another case, attackers manipulated email threads to execute financial fraud. After compromising an account, they created rules to move all emails from Zoho into the RSS Subscriptions folder, effectively hiding verification messages. Subsequently, they registered a spoofed domain using a homoglyph trick—such as replacing the letter “O” with a zero—and created lookalike email addresses.
These fraudulent identities were then inserted into ongoing payment discussions, attempting to convince recipients that payments had failed and needed to be resent. Even after the original account was disabled, the attacker’s external spoofing infrastructure remained active, extending the threat.
Higher education targeted
Meanwhile, university environments presented a slightly different attack pattern. In these cases, attackers often configured unconditional rules that deleted or archived all incoming emails. Consequently, legitimate users were locked out of their own communication channels while attackers used the accounts to distribute spam, fake job offers, scholarship scams, and fraudulent marketplace listings.
Additionally, dormant accounts—especially those belonging to former students or retired staff—were frequently targeted. These accounts often lack updated security measures such as multi-factor authentication and are less actively monitored, making them easy entry points.
Furthermore, attackers have scaled these operations using tools like Microsoft Graph API and Exchange Online PowerShell. This allows them to deploy malicious rules across multiple compromised accounts simultaneously, transforming isolated breaches into widespread campaigns.
Detection gap
From a defense standpoint, mailbox rule abuse poses a significant challenge. Because these activities occur entirely within the application layer, they often resemble legitimate user behavior and evade traditional network-based detection methods.
Therefore, security experts recommend several safeguards. Organizations should disable external auto-forwarding by default, enforce strong conditional access policies, and implement multi-factor authentication. Additionally, monitoring OAuth permissions—especially those requesting Mail.Read or Mail.ReadWrite access—is critical.
When malicious rules are identified, organizations must act swiftly by removing unauthorized configurations, revoking active sessions, and reviewing sign-in logs and OAuth applications linked to mailbox access.
Overall, the findings suggest that mailbox rule abuse is no longer a rare occurrence. Instead, it has become a standard tactic in account takeover attacks, offering cybercriminals a discreet yet powerful method to facilitate fraud, deception, and data theft within Microsoft 365 environments.
Recommended Cyber Technology News:
- mShift Launches HSB Non-Admitted Cyber on Platform
- Glasswall Launches Outlook Integration for Email Security
- Sentra Integrates with Wiz to Enhance Cloud Data Risk Visibility
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
