Mailbox Rule Abuse: The Stealthy Post-Compromise Threat in Microsoft 365

Imagine an attacker quietly controlling your email inbox—deleting security alerts, forwarding sensitive messages, and hiding all traces of their activity. This is not a far-fetched scenario. Security researchers have uncovered a significant rise in mailbox rule abuse within Microsoft 365 environments, where cybercriminals leverage native email features to maintain access, exfiltrate data, and manipulate communications after compromising an account.

According to findings from Proofpoint, approximately 10% of breached accounts in Q4 2025 had malicious mailbox rules created within seconds of initial access. These rules often use minimal or nonsensical names, making them easy to overlook. They are designed to delete emails or move them into rarely monitored folders like Archive or RSS Subscriptions, allowing attackers to operate under the radar.

How Attackers Exploit Microsoft 365 Mailbox Rules

Mailbox rules provide attackers with a powerful combination of automation and stealth. Once inside an account, they can silently control email flow while avoiding detection. By suppressing or redirecting messages, attackers reshape what victims see in their inbox, allowing fraudulent activity to continue unnoticed.

Common attacker objectives include:

• Forwarding sensitive emails to external accounts for data theft
• Hiding security alerts, password resets, and suspicious activity
• Intercepting and manipulating ongoing email conversations
• Maintaining access even after password changes

In practice, these tactics enable attackers to impersonate victims, hijack communication threads, and influence business transactions without triggering traditional security alerts. This form of mailbox rule abuse is particularly dangerous because it leverages legitimate functionality, making it hard for standard defenses to detect.

Real-World Impact and Persistence Risks

Several scenarios illustrate how mailbox rule abuse plays out in real attacks. In one case observed by Proofpoint, attackers targeted payroll processes by launching internal phishing emails from a compromised account, while rules were created to hide replies and warnings. This ensured the activity remained largely invisible to the victim.

In another example, attackers combined mailbox rules with third-party email services and domain spoofing to intercept vendor communications and insert fraudulent payment requests into existing threads. These tactics are classic signs of business email compromise (BEC) attacks, which continue to plague organizations worldwide.

University environments have also been affected. Attackers frequently deploy blanket rules that delete or hide all incoming messages, isolating the mailbox and enabling large-scale spam campaigns without user awareness. One of the most concerning aspects is persistence: malicious forwarding and suppression rules can remain active even after credentials are reset, allowing continued data exposure.

Building on this, researchers note that automation tools now enable attackers to deploy these rules across multiple accounts at scale, turning a simple feature into a powerful and difficult-to-detect attack method. This means that even organizations with robust security measures can fall victim to mailbox rule abuse if they do not monitor for such activity.

Defending Against Mailbox Rule Abuse

To defend against similar threats, Proofpoint suggests that organizations disable external auto-forwarding, enforce strong access controls including multi-factor authentication (MFA), and closely monitor OAuth activity. Ensuring rapid response by removing malicious rules, revoking sessions, and auditing account activity is also recommended.

For more insights on protecting your organization, check out our guide on business email compromise prevention and learn about Microsoft 365 security best practices.

In conclusion, mailbox rule abuse represents a stealthy post-compromise threat that every organization using Microsoft 365 should take seriously. By understanding how attackers exploit these features and implementing proactive defenses, you can reduce the risk of data breaches and financial losses.