Microsoft 365 mailbox-rule abuse rises across breached accounts in Q4 2025
Trend
Summary
Hide ▲
Show ▼
In Q4 2025, about 10% of breached Microsoft 365 accounts had malicious mailbox rules created within seconds of compromise, increasing persistence, data theft, and email manipulation risk across breached accounts.
Related Happenings
Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
Vulnerability
H score37
First: 15.05.2026 09:19
Last: 15.05.2026 09:19
Sources 1
About this happening:
**CVE-2026-42897** is an **actively exploited** **spoofing** vulnerability in **on-premises Microsoft Exchange Server** that can lead to **arbitrary JavaScript execution** in a br...
Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
VulnerabilityAbout this happening: **CVE-2026-42897** is an **actively exploited** **spoofing** vulnerability in **on-premises Microsoft Exchange Server** that can lead to **arbitrary JavaScript execution** in a br...
Latest development: 09.06.2026 20:57
Microsoft identifies CVE-2026-42897 in Microsoft Exchange Server as an actively exploited spoofing vulnerability that can lead to JavaScript execution in a target’s browser when a specially crafted email is opened in Outlook Web Access under certain interaction conditions. Microsoft says mitigations are being pushed through the Exchange Emergency Mitigation Service while it continues work on the full update.
KongTuke Microsoft Teams initial access campaign
Campaign
H score42
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Microsoft Windows 365 Office installation disruption
Service Disruption
H score0
First: 13.05.2026 14:53
Last: 13.05.2026 14:53
Sources 1
About this happening:
The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....
Microsoft Windows 365 Office installation disruption
Service DisruptionAbout this happening: The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
H score53
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
QR code phishing surged across email threats in Q1 2026
Trend
H score73
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
TrendAbout this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Timeline
-
13.04.2026 18:00 2 articles · 2mo ago
Microsoft 365 mailbox-rule abuse rises across breached accounts in Q4 2025
Initial DisclosureAfter account compromise in **Q4 2025**, attackers quickly created mailbox rules to hide replies, reroute messages, and preserve access. The early phase was defined by immediate inbox manipulation before the victim could notice unusual mail flow.
Show sources
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00