Surge in Mailbox Rule Abuse Threatens Microsoft 365 Security

Severity: High (Score: 69.0)

Sources: Proofpoint, Infosecurity-Magazine

Summary

Security researchers have reported a significant increase in the abuse of mailbox rules within Microsoft 365 environments, with attackers leveraging these native email features to maintain access and exfiltrate data after account compromise. According to findings from Proofpoint, approximately 10% of compromised accounts in Q4 2025 had malicious mailbox rules created within seconds of initial access. These rules are often named minimally or nonsensically, allowing attackers to delete emails or move them to less monitored folders, thereby controlling what victims see in their inboxes. Common objectives include forwarding sensitive emails to external accounts, hiding security alerts, and intercepting ongoing communications. The persistence of these rules means they can remain active even after credentials are reset, allowing continued data exposure. Attackers are also using automation tools to deploy these rules across multiple accounts, making detection more challenging. Organizations are advised to disable external auto-forwarding, enforce strong access controls, and monitor OAuth activity closely. Key Points: • 10% of compromised Microsoft 365 accounts had malicious mailbox rules created shortly after access. • Attackers use mailbox rules to delete or hide emails, manipulating victim perception. • Malicious rules can persist even after password changes, allowing ongoing data exposure.

Key Entities

• Brute Force (attack_type)
• Data Breach (attack_type)
• Man-in-the-Middle (attack_type)
• Phishing (attack_type)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Microsoft 365 (platform)
• Zoho (platform)
• Outlook (company)