Malicious mailbox rule abuse in Microsoft 365 environments escalates as covert post-compromise persistence vector

First reported

13.04.2026 18:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Attackers are increasingly exploiting native Microsoft 365 mailbox rules to maintain stealthy persistence, exfiltrate data, and manipulate email communications following account compromise. Abuse involves creating minimal or obfuscated rules that delete, archive, or redirect emails to obscure folders like Archive or RSS Subscriptions, enabling attackers to suppress security alerts, intercept sensitive conversations, and impersonate users without immediate detection. This technique is observed in approximately 10% of breached accounts during Q4 2025, often deployed within seconds of initial access.

Timeline

13.04.2026 18:00 1 articles · 3h ago

Stealthy persistence via malicious Microsoft 365 mailbox rules escalates in Q4 2025
Attackers are increasingly abusing Microsoft 365 mailbox rules post-compromise to maintain access, exfiltrate data, and manipulate email communications. Malicious rules, often created within seconds of initial access, redirect or delete emails to obscure folders, suppress security alerts, and hijack conversations. Observed in approximately 10% of breached accounts during Q4 2025, this technique enables persistence even after password changes and is now deployable at scale via automation tools.
Show sources

Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00
Open in new tab

Information Snippets

Attackers exploit Microsoft 365 mailbox rules to automate email manipulation, enabling data exfiltration via forwarding, suppression of security alerts, and hijacking of ongoing email threads.
First reported: 13.04.2026 18:00

1 source, 1 article
Show sources
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00
Malicious rules are frequently named minimally or nonsensically and target rarely monitored folders such as Archive or RSS Subscriptions to evade detection.
First reported: 13.04.2026 18:00

1 source, 1 article
Show sources
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00
Observed attack scenarios include targeting payroll processes via internal phishing from compromised accounts while hiding replies and warnings, and intercepting vendor communications to insert fraudulent payment requests.
First reported: 13.04.2026 18:00

1 source, 1 article
Show sources
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00
In university environments, blanket rules deleting or hiding all incoming messages have been used to isolate mailboxes and facilitate large-scale spam campaigns without user awareness.
First reported: 13.04.2026 18:00

1 source, 1 article
Show sources
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00
Malicious forwarding and suppression rules can persist even after credential resets, allowing continued data exposure and maintaining access.
First reported: 13.04.2026 18:00

1 source, 1 article
Show sources
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00
Automation tools enable attackers to deploy malicious mailbox rules at scale across multiple compromised accounts.
First reported: 13.04.2026 18:00

1 source, 1 article
Show sources
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00

Summary

Timeline

Stealthy persistence via malicious Microsoft 365 mailbox rules escalates in Q4 2025

Information Snippets