Attackers are quietly abusing Microsoft 365 mailbox rules to steal emails, hide alerts, and maintain long-term access without installing malware.
These stealthy tactics are increasingly common in business email compromise (BEC) campaigns targeting enterprise users worldwide.
After gaining initial access often through phishing, password spraying, or compromised OAuth tokens attackers focus on persistence and stealth.
Rather than deploying malware, they weaponize legitimate features like Outlook’s mailbox rules to control email flow. These rules are meant to organize inboxes, but in an attacker’s hands, they become powerful tools for exfiltration and deception.
Mailbox rules allow hackers to delete, forward, or move incoming messages automatically. Malicious actors use them to intercept financial emails, suppress security warnings, or redirect messages to hidden folders such as “Archive” or “RSS Subscriptions.”
Because no network interception is needed, victims continue normal communication completely unaware that their inbox is being filtered behind the scenes.
Exploiting Stealth and Persistence
According to 2025 security telemetry, about 10% of compromised Microsoft 365 accounts showed malicious rule creation within seconds of the initial breach.
During Q4 2025 approximately 10% of compromised user accounts had at least one malicious mailbox rule created shortly after initial access. The minimal time of mail rules creation after an ATO is around 5 seconds.
The rules often had trivial names like “.”, “..”, or “;”, a pattern researchers say reflects both automation and overconfidence attackers don’t expect anyone to look there.
Even after a password reset, these rogue rules persist. Unless administrators manually review and remove them, auto-forwarding and message suppression continue, leaking sensitive information or blocking legitimate alerts.
One confirmed case involved a payroll staff member’s mailbox rule that moved any email with “Payment Receipt” in the subject line to “Archive.”
Attackers later used that same subject in an internal phishing campaign, hiding replies and extending access into executive accounts for payroll fraud.
The mailbox rule was already in place, all verification emails and correspondence from Zoho were automatically hidden in the ‘RSS Subscriptions’ folder.
Mailbox rules are enabling a new variant of man‑in‑the‑middle behavior conducted entirely within Microsoft 365.
In one incident, attackers hid emails from Zoho in a hidden folder, registered a fake domain using homoglyphs to mimic the victim’s company name, and hijacked a vendor transaction thread all without maintaining persistent control of the original account.
The end goal: convincing the vendor to send duplicate payments to attacker‑controlled accounts.
Large‑Scale Automation
This tactic is now being automated. Attackers use Microsoft Graph or PowerShell scripts to mass‑create malicious rules across multiple users in seconds.
Proofpoint researchers demonstrated this capability with a tool called ATOLS, which can capture stolen session tokens and immediately create attacker‑defined mailbox rules upon login no credentials needed once tokens are in hand.
Microsoft 365 administrators can take clear steps to mitigate these risks:
- Disable external auto‑forwarding to prevent data exfiltration.
- Enforce MFA and conditional access policies to limit token replay and brute‑force success.
- Continuously monitor new mailbox rules and OAuth consent changes, especially those involving mail‑read or write permissions.
Mailbox rules may look like harmless productivity tools, but in the wrong hands, they act as invisible backdoors for BEC and espionage. Regular audits and user awareness are now essential for defending against this silent threat inside the inbox.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
