Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat in Microsoft 365
Proofpoint reports a surge in mailbox rule abuse, with 10% of breached Microsoft 365 accounts in Q4 2025 having malicious rules created within seconds of initial access.
Security researchers at Proofpoint have identified a significant surge in the misuse of mailbox rules within Microsoft 365 environments, with attackers increasingly relying on native email features to maintain access, exfiltrate data, and manipulate communications after account compromise. The findings, published today, reveal that roughly 10% of breached accounts in Q4 2025 had malicious mailbox rules created within seconds of initial access, often using minimal or nonsensical names designed to evade detection.
Mailbox rules provide attackers with a powerful combination of automation and stealth. Once inside an account, they can silently control email flow while avoiding detection by suppressing or redirecting messages, effectively reshaping what victims see in their inbox. Common attacker objectives include forwarding sensitive emails to external accounts for data theft, hiding security alerts and password reset notifications, intercepting and manipulating ongoing email conversations, and maintaining access even after password changes.
The real-world impact of these tactics is substantial. In one case observed by Proofpoint, attackers targeted payroll processes by launching internal phishing emails from a compromised account while creating rules to hide replies and warnings, ensuring the activity remained largely invisible. In another example, attackers combined mailbox rules with third-party email services and domain spoofing to intercept vendor communications and insert fraudulent payment requests into existing threads, enabling sophisticated business email compromise (BEC) attacks.
University environments have also been affected, with attackers frequently deploying blanket rules that delete or hide all incoming messages, isolating the mailbox and enabling large-scale spam campaigns without user awareness. One of the most concerning aspects is persistence: malicious forwarding and suppression rules can remain active even after credentials are reset, allowing continued data exposure. The researchers also note that automation tools now enable attackers to deploy these rules across multiple accounts at scale, turning a simple feature into a powerful and difficult-to-detect attack method.
To defend against similar threats, Proofpoint recommends that organizations disable external auto-forwarding, enforce strong access controls including multi-factor authentication (MFA), and closely monitor OAuth activity. Ensuring rapid response by removing malicious rules, revoking sessions, and auditing account activity is also critical. As mailbox rule abuse continues to emerge as a stealthy post-compromise threat, organizations must adapt their security strategies to address this native yet dangerous attack vector.