Microsoft 365 mailbox-rule abuse rises across breached accounts in Q4 2025
Target Trend
Summary
Hide ▲
Show ▼
In Q4 2025, about 10% of breached Microsoft 365 accounts had malicious mailbox rules created within seconds of compromise, increasing persistence, data theft, and email manipulation risk across breached accounts.
Related Happenings
Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
Vulnerability
First: 15.05.2026 09:19
Last: 15.05.2026 09:19
Sources 1
About this happening:
**CVE-2026-42897** is an **actively exploited** **spoofing/XSS** flaw in **on-premises Microsoft Exchange Server** that can let attackers trigger **arbitrary JavaScript** in a bro...
Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
VulnerabilityAbout this happening: **CVE-2026-42897** is an **actively exploited** **spoofing/XSS** flaw in **on-premises Microsoft Exchange Server** that can let attackers trigger **arbitrary JavaScript** in a bro...
KongTuke Microsoft Teams initial access campaign
Campaign
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Microsoft Windows 365 Office installation disruption
Service Disruption
First: 13.05.2026 14:53
Last: 13.05.2026 14:53
Sources 1
About this happening:
The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....
Microsoft Windows 365 Office installation disruption
Service DisruptionAbout this happening: The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
QR code phishing surged across email threats in Q1 2026
Target Trend
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
Target TrendAbout this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Timeline
-
13.04.2026 18:00 2 articles · 1mo ago
Microsoft 365 mailbox-rule abuse rises across breached accounts in Q4 2025
Initial DisclosureAfter account compromise in **Q4 2025**, attackers quickly created mailbox rules to hide replies, reroute messages, and preserve access. The early phase was defined by immediate inbox manipulation before the victim could notice unusual mail flow.
Show sources
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00
- Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat — www.infosecurity-magazine.com — 13.04.2026 18:00