Microsoft 365 mailbox rules abused for exfiltration, persistence

Security vendors report attackers are creating malicious Microsoft 365 mailbox rules to automatically forward, delete, or suppress emails — including security alerts, MFA notifications, and password resets — enabling stealthy data exfiltration and persistence that survives password resets and MFA enrollment. Proofpoint observed this technique in roughly 10% of compromised accounts in Q4 2025; recommended mitigations include removing unauthorized inbox rules, invalidating sessions and refresh tokens, removing unrecognized apps, and user education.