Application security , Cloud Security , Email security Microsoft 365 mailbox rules abused for exfiltration, persistence April 13, 2026 Share By Steve Zurier (Adobe Stock) A broad mix of attackers are abusing Microsoft 365 mailbox rules as a stealthy method to quietly manage email flow by deleting, hiding, forwarding or marking messages as read without alerting victims. Security pros said it’s a dangerous technique because it shows how adversaries can abuse platform features that Microsoft users rely on every day for legitimate workflows. “Leaving your mailbox rules unmonitored for extended periods of time can open the door for attackers to cause damage through data exfiltration, persistence, and communication manipulation,” said Yaniv Miron, director of threat research at Proofpoint, which posted a blog on this topic April 13. According to the Proofpoint blog, approximately 10% of compromised accounts in Q4 2025 had malicious mailbox rules created shortly after initial access. Another big point was that persistence survives password resets: forwarding and suppression rules remain active after credential changes, allowing continued data leakage as long as the rule exists. Miron added that his Proofpoint team has seen many types of attackers leverage this technique. It's an easy method that uses native functionality with such a high value that just about everyone uses it, noted Miron. “It could be used manually, added to part of a hacking tool, or even incorporated into malware that uses post-exploitation ATO techniques ,” said Miron. Shane Barney, chief information security officer at Keeper Security, said credential theft gets the headlines, but what happens after initial access is where attackers do their real damage. Once inside, Barney said they move quickly to establish persistence using whatever native tools the platform provides, and in Microsoft 365 environments, mailbox rules are one of the most effective mechanisms available. “These rules require no malware, no external infrastructure, and almost no effort,” said Barney. “Within seconds of gaining access, attackers can configure rules that automatically delete or bury incoming security alerts, MFA notifications and password reset emails – the exact messages that would tip off a victim. And because mailbox rules are stored at the mailbox level, rather than the credential level, they remain even after a password reset.” Denis Calderone, CTO and Principal at Suzu Labs, explained that mailbox rules are one of the very first issues security teams look for when they are triaging a business email compromise. Here’s how it works: The attacker gets in, creates a rule that forwards copies of everything to an external address or deletes security alerts and password reset notifications so the victim never realizes they've been compromised, and then goes about their business. “What makes [it really bad] is the persistence,” said Calderone. “Most organizations think resetting the password fixes a compromised account. It doesn't. Mailbox rules survive password changes. They survive MFA enrollment. Unless someone specifically goes in and removes them, they keep running. We've responded to incidents where the attacker was locked out months ago, but data was still being forwarded to an external address because nobody checked the rules.” Proofpoint’s Miron offers the following tips to teams running MS 365 environments: Delete all unauthorized inbox rules. Invalidate active sessions and refresh tokens to eliminate persistent access. Remove unrecognized or overly permissive apps. Educate users on what mailbox rules can do and the potential risks that can arise if left unmonitored. Steve Zurier Related Phishing Fake Ledger app on Mac app store scams users out of $9.5 million SC Staff April 15, 2026 The fraudulent app, available on Apple's App Store under the publisher name "Leva Heal Limited," tricked users into entering their seed phrases, granting attackers full control of their digital wallets. Data Security Over 100 malicious Chrome extensions steal tokens, deploy backdoors SC Staff April 15, 2026 The threat actor published these malicious extensions under five different publisher identities, spanning various categories such as Telegram clients, games, YouTube and TikTok enhancers, translation tools, and utilities. Ransomware Black Basta-linked attacks target executives via Teams phishing Laura French April 15, 2026 Suspected former Black Basta affiliates impersonate help desks to deploy RMM software. Related Events Cybercast Protecting Application User Data for Better Privacy, Governance, and Compliance On-Demand Event Cybercast The Next Evolution of Application Security: AI- Accelerated DevSecOps On-Demand Event Cybercast Scaling secure software in the age of AI: Turning intelligence into action On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Banner Bring Your Own Device (BYOD) Cache Cramming Cloud Computing Cookie Dynamic Link Library Email Spoofing Greynet Internet Message Access Protocol (IMAP) Post Office Protocol, Version 3 (POP3) You can skip this ad in 5 seconds