Attackers Exploit O365 Mailbox Rules for Stealth Data Exfiltration and Persistence
What Happened — Threat researchers observed that adversaries are creating malicious mailbox rules in Microsoft 365 after gaining initial access. These rules forward, delete, or relocate email messages, enabling covert data exfiltration and long‑term persistence even after password changes.
Why It Matters for TPRM —
- Native O365 features can be weaponized, bypassing traditional endpoint detections.
- Compromised vendor accounts can silently leak sensitive communications to attackers.
- Persistence via mailbox rules survives credential resets, extending exposure windows.
Who Is Affected — Enterprises using Microsoft 365 (cloud SaaS), especially those in finance, healthcare, legal, and any sector that relies on email for confidential data exchange.
Recommended Actions —
- Audit all mailbox rules for anomalous entries (e.g., single‑character names, obscure folders).
- Enforce MFA and conditional access for privileged accounts.
- Deploy logging/alerting on rule creation via Office 365 audit logs.
- Conduct periodic credential hygiene and password‑reset verification.
Technical Notes — Attackers leverage stolen credentials (phishing, password spraying, OAuth abuse) to create forwarding or suppression rules. The technique does not require additional malware; it exploits built‑in O365 automation. Indicators include rules with names like “.”, “…”, “;”, and actions that move mail to “Archive”, “RSS Subscriptions”, or delete messages outright. Source: Proofpoint Threat Insight