Cybercriminals are leveraging a sophisticated tactic within Microsoft 365, exploiting built-in mailbox rules to silently intercept sensitive business communications. This emerging threat allows attackers to capture financial data, redirect confidential emails, and even suppress critical security alerts without alerting the account owner.
Microsoft 365 mailbox rules, designed for productivity, are being weaponized by threat actors to create persistent backdoors within corporate accounts. Researchers from Proofpoint have identified this method as a prevalent post-compromise behavior, highlighting its effectiveness in stealthy data exfiltration and ongoing reconnaissance.
How Hackers Create Hidden Mailbox Rules in Microsoft 365 to Intercept Sensitive Business Emails
Once attackers gain unauthorized access to a Microsoft 365 account, typically through credential phishing, password spraying, or OAuth consent abuse, they strategically implement mailbox rules. These rules are configured to act automatically on incoming emails based on specific keywords or sender criteria defined by the attacker. The primary goal is to divert sensitive information, such as invoices, contracts, or financial transactions, to external, attacker-controlled email addresses.
A concerning aspect of this attack vector is its invisibility. Malicious rules are often given short, generic, or nonsensical names, making them unlikely to be discovered during a routine review of an account’s settings. This camouflage is crucial for maintaining access and avoiding detection for extended periods, allowing attackers to operate with minimal risk.
Proofpoint researchers Anna Akselevich, Pavel Asinovsky, and Yaniv Miron observed that approximately 40% of compromised Microsoft 365 accounts exhibited the creation of at least one malicious mailbox rule shortly after the initial breach. The speed at which these rules are implemented is alarming, with one recorded instance of a rule being created just eight seconds after an account compromise, suggesting a high degree of automation in this post-exploitation phase.
The impact of these hidden mailbox rules extends beyond simple email interception. Attackers can also configure rules to hide multi-factor authentication (MFA) alerts, password reset notifications, and suspicious login warnings. This prevents legitimate users from realizing their accounts have been compromised, effectively blinding them to ongoing malicious activity. Furthermore, these rules can persist even after the victim changes their password, offering a persistent avenue for attackers.
In a documented payroll fraud scenario, an attacker compromised an account and immediately set up a rule to archive emails containing “Payment List” in the subject line. Concurrently, the attacker used the third-party email platform Zoho to register a spoofed domain. By employing homoglyph characters—letters that visually mimic legitimate ones—in the domain name, the attacker aimed for a nearly identical appearance to the company’s actual domain. Because the mailbox rule was active, all verification emails from Zoho were automatically moved to a hidden folder. This allowed the attacker to successfully complete the registration process without the victim’s knowledge, providing a platform from which they could insert fraudulent messages into existing email threads to manipulate payment actions.
Mitigation Strategies for Email Security
Security teams and organizations must implement robust measures to counter this threat. Disabling automatic external forwarding in Exchange Online is a critical step, as it directly removes one of the most exploited persistence mechanisms. Enforcing robust multi-factor authentication (MFA) coupled with conditional access policies significantly reduces the risk of initial account compromise.
Additionally, regular auditing of mailbox rules is essential for early detection. Organizations should also monitor OAuth consent grants for suspicious application permissions and promptly revoke active sessions when a breach is suspected. Reviewing Microsoft Entra ID sign-in logs for unusual locations or risky authentication events can provide further insights into potential compromises and help contain threats related to hidden rules.
The continued reliance on native Microsoft 365 features by attackers highlights the need for organizations to remain vigilant and adapt their security strategies. As cybercriminals evolve their tactics, it is imperative for businesses to stay informed about emerging threats and strengthen their defenses to protect sensitive data and maintain operational integrity.