Cybercriminals Exploit Microsoft 365 Mailbox Rules for Stealthy Email Theft and Fraud
Attackers are increasingly leveraging Microsoft 365 mailbox rules to silently exfiltrate emails, suppress security alerts, and maintain persistent access in business email compromise (BEC) campaigns targeting enterprises worldwide. Unlike traditional malware-based attacks, this tactic abuses legitimate Outlook features such as auto-forwarding and message filtering to operate undetected.
After gaining initial access via phishing, password spraying, or compromised OAuth tokens, threat actors create malicious mailbox rules to manipulate email flow. These rules automatically delete, forward, or redirect messages to hidden folders like Archive or RSS Subscriptions, allowing attackers to intercept financial communications, block security warnings, or hijack transaction threads without raising suspicion. Victims remain unaware as their inboxes are silently filtered in the background.
Security telemetry from Q4 2025 revealed that 10% of compromised Microsoft 365 accounts had malicious mailbox rules created within seconds of a breach, with some deployed in as little as five seconds. Attackers often disguise these rules with innocuous names (e.g., “.”, “..”, or “;”), reflecting automation and confidence that administrators won’t inspect them. Even after password resets, these rules persist unless manually removed, enabling prolonged data theft or fraud.
In one case, attackers set up a rule to move emails containing “Payment Receipt” to a hidden folder, then used the same subject line in a phishing campaign to divert verification messages including those from Zoho into an RSS Subscriptions folder. This allowed them to hijack a vendor payment thread, redirecting funds to attacker-controlled accounts without maintaining access to the original mailbox.
The tactic has been automated at scale, with tools like ATOLS enabling attackers to deploy malicious rules across multiple accounts in seconds using stolen session tokens or PowerShell scripts. Researchers demonstrated how attackers could exploit Microsoft Graph to create rules immediately upon login, bypassing the need for credentials once tokens are compromised.
To mitigate risks, Microsoft 365 administrators are advised to disable external auto-forwarding, enforce multi-factor authentication (MFA) and conditional access policies, and monitor new mailbox rules and OAuth consent changes particularly those with mail-read or write permissions. Without proactive audits, these seemingly harmless productivity tools can serve as invisible backdoors for BEC and espionage.
Source: https://gbhackers.com/microsoft-365-mailbox/
Zoho cybersecurity rating report: https://www.rankiteo.com/company/zoho
"id": "ZOH1776249079",
"linkid": "zoho",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Worldwide', 'type': 'Enterprises'}],
'attack_vector': ['Phishing', 'Password spraying', 'Compromised OAuth tokens'],
'data_breach': {'data_exfiltration': 'Yes (silent email '
'forwarding/redirection)',
'sensitivity_of_data': 'High (financial and operational data)',
'type_of_data_compromised': 'Emails (financial '
'communications, security alerts, '
'transaction threads)'},
'date_detected': 'Q4 2025',
'description': 'Attackers are increasingly leveraging Microsoft 365 mailbox '
'rules to silently exfiltrate emails, suppress security '
'alerts, and maintain persistent access in business email '
'compromise (BEC) campaigns targeting enterprises worldwide. '
'This tactic abuses legitimate Outlook features such as '
'auto-forwarding and message filtering to operate undetected. '
'After gaining initial access via phishing, password spraying, '
'or compromised OAuth tokens, threat actors create malicious '
'mailbox rules to manipulate email flow, automatically '
'deleting, forwarding, or redirecting messages to hidden '
'folders like *Archive* or *RSS Subscriptions*. This allows '
'attackers to intercept financial communications, block '
'security warnings, or hijack transaction threads without '
'raising suspicion.',
'impact': {'data_compromised': 'Emails containing financial communications, '
'security alerts, and transaction threads',
'operational_impact': 'Persistent unauthorized access to email '
'communications',
'payment_information_risk': 'High (payment redirection)',
'revenue_loss': 'Potential diversion of funds to '
'attacker-controlled accounts',
'systems_affected': 'Microsoft 365 accounts'},
'initial_access_broker': {'backdoors_established': 'Malicious mailbox rules '
'(persistent access)'},
'lessons_learned': 'Malicious mailbox rules can persist even after password '
'resets, enabling prolonged data theft or fraud. '
'Automation tools like *ATOLS* allow attackers to deploy '
'rules at scale using stolen session tokens or PowerShell '
'scripts. Proactive audits and monitoring of mailbox rules '
'and OAuth consent changes are critical to detect and '
'mitigate such threats.',
'motivation': ['Financial fraud', 'Data theft', 'Espionage'],
'post_incident_analysis': {'corrective_actions': ['Disable external '
'auto-forwarding',
'Enforce MFA and '
'conditional access '
'policies',
'Monitor and audit mailbox '
'rules and OAuth consent '
'changes'],
'root_causes': ['Abuse of legitimate Microsoft 365 '
'mailbox rules',
'Initial access via phishing, '
'password spraying, or compromised '
'OAuth tokens',
'Lack of monitoring for malicious '
'mailbox rules and OAuth consent '
'changes']},
'recommendations': ['Disable external auto-forwarding in Microsoft 365',
'Enforce multi-factor authentication (MFA) and '
'conditional access policies',
'Monitor new mailbox rules and OAuth consent changes, '
'particularly those with mail-read or write permissions',
'Conduct regular audits of mailbox rules to detect '
'malicious activity'],
'references': [{'source': 'Security telemetry and research (Q4 2025)'}],
'response': {'enhanced_monitoring': 'Monitor new mailbox rules and OAuth '
'consent changes'},
'title': 'Cybercriminals Exploit Microsoft 365 Mailbox Rules for Stealthy '
'Email Theft and Fraud',
'type': 'Business Email Compromise (BEC)',
'vulnerability_exploited': 'Abuse of Microsoft 365 mailbox rules and Outlook '
'features'}