Attackers Weaponize Mailbox Rules to Control Your Inbox

In the modern landscape of Microsoft 365 security, the most dangerous threat might not be a sophisticated piece of malware, but a simple, automated setting you likely haven’t checked in years. A new report from Proofpoint reveals that “mailbox rules are a high-risk post-exploitation tactic” used by attackers to maintain a silent but absolute grip on compromised accounts.

Researchers found that “approximately 10% of compromised accounts in Q4 2025 had malicious mailbox rules created shortly after initial access”. Even more alarming is the speed of execution: the time between an account takeover (ATO) and the creation of a malicious rule can be as little as five seconds.

Once an attacker gains access—often through credential phishing or session token theft—they prioritize persistence and stealth over immediate disruption . Instead of deploying complex infrastructure, “they abuse native platform features to operate undetected under the compromised identity”.

Malicious rules are designed to delete, hide, or forward messages, effectively giving the attacker control over the email flow without the victim’s knowledge. Proofpoint notes a distinct pattern in how these rules are named:

• Minimalist Naming: Attackers favor nonsensical or generic strings like “.”, “…”, “..”, and “;” .
• Lazy Tradecraft: Because these rules are rarely reviewed by users, attackers are often “confident they won’t be detected, they put little thought into rule names, opting for quick, throwaway characters instead”.

Attackers leverage these rules for several high-value objectives. By creating “forwarding or redirection rules,” they can automatically send high-value data containing keywords like “invoice,” “wire,” or “contract” to external mailboxes .

Crucially, these rules act as a “suppression” mechanism. They can be configured to delete or move security alerts and MFA notifications, ensuring that “victims remained unaware of ongoing misuse of their accounts”. This buys attackers the time needed to deepen their foothold or complete fraudulent operations.

Unlike traditional credentials, “forwarding and suppression rules remain active after credential changes, allowing continued data leakage as long as the rule exists”. This creates a cloud-native persistence mechanism that doesn’t require the attacker to “re-hack” the account if the user changes their password.

The barrier to entry for these attacks has dropped significantly due to automation. To illustrate this, Proofpoint researchers developed ATOLS (Account Take Over Live Simulation), a tool that demonstrates the simplicity of executing these operations at scale .

ATOLS can automatically:

• Capture Session Tokens: Bypassing traditional MFA challenges by using captured session cookies .
• Deploy Rules Instantly: Once a token is obtained, the tool “automatically creates a malicious mailbox rule with a name and logic specified by the operator”.
• Perform Post-Exploitation: Including enumerating contacts or accessing SharePoint.