Security researchers have identified a surge in the misuse of mailbox rules within Microsoft 365 environments, with attackers increasingly relying on native email features to maintain access, exfiltrate data and manipulate communications after account compromise.
The Proofpoint findings, published earlier today, show that about 10% of breached accounts in Q4 2025 had malicious mailbox rules created within seconds of initial access.
These rules often use minimal or nonsensical names and are designed to delete emails or move them into rarely monitored folders like Archive or RSS Subscriptions.
How Attackers Exploit Microsoft 365 Mailbox Rules
Mailbox rules provide attackers with automation and stealth. Once inside an account, they can silently control email flow while avoiding detection. By suppressing or redirecting messages, attackers reshape what victims see in their inbox, allowing fraudulent activity to continue unnoticed.
Common attacker objectives include:
-
Forwarding sensitive emails to external accounts for data theft
-
Hiding security alerts, password resets and suspicious activity
-
Intercepting and manipulating ongoing email conversations
-
Maintaining access even after password changes
In practice, these tactics enable attackers to impersonate victims, hijack communication threads and influence business transactions without triggering traditional security alerts.
Real-World Impact and Persistence Risks
Several scenarios illustrated how mailbox rule abuse plays out. In one case observed by Proofpoint, attackers targeted payroll processes by launching internal phishing emails from a compromised account, while rules were created to hide replies and warnings. This ensured the activity remained largely invisible.
In another example, attackers combined mailbox rules with third-party email services and domain spoofing to intercept vendor communications and insert fraudulent payment requests into existing threads.
University environments have also been affected. Attackers frequently deploy blanket rules that delete or hide all incoming messages, isolating the mailbox and enabling large-scale spam campaigns without user awareness.
One of the most concerning aspects is persistence. Malicious forwarding and suppression rules can remain active even after credentials are reset, allowing continued data exposure.
The researchers also note that automation tools now enable attackers to deploy these rules across multiple accounts at scale, turning a simple feature into a powerful and difficult-to-detect attack method.
To defend against similar threats, Proofpoint suggested that organizations disable external auto-forwarding, enforce strong access controls, including MFA and closely monitor OAuth activity. Ensuring rapid response by removing malicious rules, revoking sessions and auditing account activity is also recommended.