Mailbox Rule Abuse - Stealthy Threat After Account Compromise
High severity β significant development or major threat actor activity
Basically, attackers use email rules to hide their activities after breaking into accounts.
Researchers have identified a rise in mailbox rule abuse within Microsoft 365. Attackers manipulate email rules to maintain access and exfiltrate sensitive data. This poses significant risks for organizations and requires immediate defensive measures.
What Happened
Security researchers have discovered a troubling trend where attackers are exploiting Microsoft 365 mailbox rules to maintain access and exfiltrate data following account compromises. According to findings from Proofpoint, about 10% of breached accounts in the last quarter of 2025 had malicious mailbox rules set up shortly after the initial breach.
How Attackers Exploit Microsoft 365 Mailbox Rules
Mailbox rules allow attackers to automate email management, enabling them to control the flow of messages without raising alarms. By creating rules with vague names, they can redirect or delete emails, effectively manipulating what victims see in their inboxes. This tactic allows them to:
- Forward sensitive emails to external accounts for theft.
- Hide security alerts and password reset notifications.
- Intercept ongoing email conversations, influencing business transactions.
- Maintain access even after victims change their passwords.
Real-World Impact and Persistence Risks
The implications of mailbox rule abuse are severe. In one observed case, attackers targeted payroll processes by sending phishing emails from a compromised account while simultaneously hiding replies and warnings. This kept their fraudulent activities under the radar. In another instance, they used mailbox rules alongside domain spoofing to intercept vendor communications, inserting fraudulent payment requests into existing threads.
University environments have also been affected, with attackers deploying blanket rules that delete or obscure all incoming messages. This isolation allows them to conduct large-scale spam campaigns without detection. Malicious rules can persist even after credentials are reset, leading to ongoing data exposure.
Defensive Measures
To combat these threats, organizations should consider the following actions:
- Disable external auto-forwarding to limit data exfiltration.
- Enforce strong access controls, including multi-factor authentication (MFA).
- Monitor OAuth activity closely to detect unauthorized access.
- Respond swiftly by removing malicious rules, revoking sessions, and auditing account activity.
By understanding and addressing the risks associated with mailbox rule abuse, organizations can better protect themselves from these stealthy post-compromise threats.
π How to Check If You're Affected
- 1.Review mailbox rules for any unauthorized changes.
- 2.Monitor account activity for unusual logins or access patterns.
- 3.Check for any auto-forwarding rules that may redirect emails.
πΊοΈ MITRE ATT&CK Techniques
π Pro insight: The exploitation of mailbox rules highlights the need for enhanced monitoring of email configurations post-compromise.