SECURITY researchers have identified a surge in the misuse of mailbox rules within Microsoft 365 environments, with attackers increasingly relying on native email features to maintain access, exfiltrate data and manipulate communications after account compromise, according to Proofpoint.
The findings show that about 10% of breached accounts in Q4 2025 had malicious mailbox rules created within seconds of initial access, often with minimal or nonsensical names and designed to delete emails or move them into rarely monitored folders such as Archive or RSS Subscriptions. These rules give attackers automation and stealth, allowing them to silently control email flow, suppress or redirect messages and reshape what victims see in their inbox.
Common objectives include forwarding sensitive emails to external accounts for data theft, hiding security alerts and suspicions, intercepting ongoing conversations and maintaining access even after password changes. Real-world scenarios include internal phishing from a compromised account to target payroll processes, plus using domain spoofing and third-party services to insert fraudulent payment requests.
To defend, organisations should disable external auto-forwarding, enforce strong access controls including MFA, monitor OAuth activity and rapidly remove malicious rules.