• Mailbox rules are a high-risk post-exploitation tactic. Attackers abuse native mailbox rules for exfiltration, persistence, and communication manipulation. Combined with third-party services and domain spoofing, they can hijack threads, impersonate victims, and manipulate vendor communications, all without network-level interception.
  • It’s more common than expected. Approximately 10% of compromised accounts in Q4 2025 had malicious mailbox rules created shortly after initial access.

In Microsoft 365 environments, attackers typically gain initial access through credential phishing, password spraying, brute-force, or OAuth (Open Authorization) consent abuse.

Once inside, adversaries focus on staying undetected rather than immediate disruption. Instead of deploying complex tools, they abuse native Microsoft 365 features to operate under the compromised user’s identity.

Phishing continues to be a key entry point for attackers. Insights from the UAE Cybersecurity Council show that 75% of cyberattacks begin with phishing emails before moving to more advanced techniques such as mailbox rule abuse.

One especially effective technique for maintaining persistence is creating malicious mailbox rules. While mailbox rules are designed to help users organize email, attackers leverage them to delete, hide, forward, or mark messages as read, silently controlling email flow without alerting the victim.

Mailbox rules provide stealth, automation, and persistence using built-in M365 functionality, enabling several attacker objectives:

Data Exfiltration: Attackers create rules to automatically forward or redirect emails to external, attacker-controlled mailboxes, often using specific keywords (“invoice”, “wire”, “contract”) to collect high-value data. Emails may also be moved to rarely checked folders to avoid detection.

Victim Deception and Email Suppression: Rules that delete, mark as read, or relocate messages hide security alerts, password reset emails, MFA notifications, suspicious replies, and third-party service registrations that could expose attacker activity. This allows attackers to deepen their foothold or complete fraudulent operations.

Persistence: Auto-forwarding rules maintain visibility into a mailbox even after password changes. As long as the rule persists, information continues to leak, creating a cloud-native persistence mechanism.

Man-in-the-Middle-Like Behavior: By routing specific correspondence to hidden folders, attackers can intercept messages, impersonate users, and suppress replies, allowing them to manipulate ongoing conversations. Unlike traditional man-in-the-middle attacks, this is done using legitimate platform features, giving attackers a significant tactical advantage with a low detection profile.

Analysis of compromised accounts consistently shows that mailbox rule abuse is a frequent post-exploitation activity. In Q4 2025, approximately 10% of compromised user accounts had at least one malicious mailbox rule created shortly after initial access.

In one observed case, an initial account belonging to an ‘Accounting Specialist’ user was compromised. Shortly after access was obtained, the attacker created a mailbox rule to move any “Payment Receipt” related email to the Archive folder.

Using this access, the attacker launched an internal phishing campaign targeting 45 additional users within the same organization. This included a “Payroll enrollment” email sent from the compromised account to the company’s payroll specialist, attempting to initiate a fraudulent payroll-related action. 

At this stage, mailbox rules played a critical role in the attack’s success in suppressing any warning replies or suspicious activity reports about the phishing emails.

Protecting Against Mailbox Rule Abuse

Organizations can reduce the risk of mailbox rule abuse by focusing on a few key areas:

  • Disable External Auto-Forwarding in Exchange Online by default, to disrupt one of the most common exfiltration and persistence mechanisms.
  • Enforce multi-factor authentication by applying restricted access by device compliance and location, and risk-based controls to reduce phishing, password spraying, and token replay success.
  • Track new OAuth app registrations by monitoring changes to mailbox settings, consent grants, and permission changes, including suspicious rule creation or unusual access activity

When malicious mailbox rules are identified, organizations should focus on containment, eradication, and access revocation:

  • Remove Malicious Rules: Delete all unauthorized inbox rules and verify no additional hidden or conditional rules remain.
  • Revoke Sessions and Reset Tokens: Invalidate active sessions and refresh tokens to eliminate persistent access that survives password changes.
  • Review Sign-In Activity: Analyze Entra ID logs for suspicious IPs, unfamiliar user agents, anomalous locations, or risky authentication events preceding rule creation.
  • Audit OAuth Applications: Remove unrecognized or overly permissive apps with mailbox access and revalidate consent for legitimate ones.

These steps should be treated as mandatory, even if mailbox rules appear to be the only visible indicator of compromise.

This type of activity contributes to broader organizational impact. Proofpoint research shows that 77% of CISOs in the UAE experienced material data loss in the past year.

UAE Cybersecurity Council findings further highlight the scale of the threat landscape, with between 90,000 and 200,000 attempted cyberattacks targeting the country every day.

Against this backdrop, organizations need stronger visibility into user accounts and email activity to detect and prevent misuse.