How Cybercriminals Are Turning Your Inbox Rules Into a Backdoor

Hackers are quietly exploiting a built-in Microsoft 365 feature to steal emails, hide security alerts, and maintain long-term access to corporate accounts — all without installing a single piece of malware.

The technique, which abuses Outlook’s mailbox rules, has become a go-to tactic in business email compromise (BEC) campaigns targeting organizations worldwide.

Once inside an account — through phishing, password spraying, or a stolen OAuth token — attackers don’t need to act loudly. Instead, they turn to legitimate inbox management features to do their dirty work in the background. Mailbox rules, typically used to sort and organize email, can be repurposed to automatically delete incoming messages, forward them to attacker-controlled addresses, or bury them in obscure folders like “Archive” or “RSS Subscriptions.”

Because everything happens inside the victim’s own account with no external network interception, users rarely notice anything is wrong.

Fast, Quiet, and Built to Last

The speed of these attacks is striking. According to 2025 security telemetry from Proofpoint, roughly 10% of compromised Microsoft 365 accounts had a malicious mailbox rule created within just five seconds of the initial account takeover. The rules themselves are often named with throwaway characters like “.”, “..”, or “;,” — a sign of both automation and a degree of attacker overconfidence.

What makes this tactic especially dangerous is its staying power. Even after a victim resets their password, the rogue rules remain active. Unless an administrator manually finds and removes them, emails continue to be suppressed or forwarded — potentially leaking sensitive data for weeks or months after the original breach.

In one documented case, a payroll employee’s account had a rule that moved any email containing “Payment Receipt” in the subject line straight to the Archive folder. Attackers later used that same subject line in a follow-up phishing campaign, knowing replies would be hidden automatically. Verification emails from Zoho were similarly rerouted to the “RSS Subscriptions” folder — keeping the victim completely in the dark while attackers extended their reach into executive accounts to commit payroll fraud.

A Man-in-the-Middle Attack That Never Leaves the Inbox

Security researchers describe this as a new form of man-in-the-middle attack — one conducted entirely within Microsoft 365. In one incident, attackers concealed Zoho emails in a hidden folder, registered a lookalike domain using subtle character substitutions to impersonate the victim’s company, and hijacked an ongoing vendor payment thread. They never needed to maintain continuous access to the account. The mailbox rules did the work for them, ultimately tricking a vendor into routing duplicate payments to attacker-controlled bank accounts.

Now Automated at Scale

The threat has evolved beyond individual account manipulation. Attackers are now using Microsoft Graph API calls and PowerShell scripts to deploy malicious mailbox rules across dozens or hundreds of accounts simultaneously. Proofpoint researchers developed a proof-of-concept tool called ATOLS that demonstrates just how seamless this has become: once a session token is stolen, the tool can automatically create custom mailbox rules the moment a user logs in — no password required.

What Organizations Can Do

Microsoft 365 administrators have several practical options for reducing exposure. Disabling external auto-forwarding at the tenant level cuts off the most common data exfiltration path. Enforcing multi-factor authentication and conditional access policies makes stolen credentials and replayed tokens significantly less useful. Equally important is continuous monitoring of new mailbox rules, along with any changes to OAuth permissions — particularly those involving mail read or write access.

Mailbox rules may look like a mundane productivity feature, but attackers have turned them into invisible backdoors. Regular inbox audits and employee awareness training are now as essential as endpoint protection when it comes to defending against modern email-based threats.

Related Articles

Back to top button