Have you ever taken a look at your Microsoft 365 mailbox rules? If not, it might be worth a few minutes of your time. Because newly released research reveals that hackers may already have beaten you to it.
A new report from researchers at Proofpoint reveals that approximately one in ten Microsoft 365 accounts compromised in Q4 2025 had malicious mailbox rules created shortly after the attacker gained access — in some cases within an astonishing five seconds of the initial breach.
Mailbox rules are a legitimate productivity tool — most people use them to sort newsletters or flag emails from their boss or important clients.
But once a cybercriminal is inside your account, those same rules can be used against you. Hackers can create rules that silently forward, hide, or delete messages, exfiltrating data, suppressing security alerts, and intercepting communications.
All this can happen without a single piece of malware being installed.
And what's particularly unpleasant is that rules forwarding or suppressing emails can survive a password reset. In short, you may think that because you have changed your credentials any intruders have been evicted — but your data may still be leaking.
Interestingly, the research noted that the names given to rules by attackers are often nonsensical.
Rather than using descriptive or human-readable names for their malicious rules, attackers often favor short, generic, or otherwise unobtrusive names.
The rules names these as the most frequently observed:
- ‘.’ (16%)
- ‘...’ (8.5%)
- ‘..’ (8%)
- ‘;’ (6%)
- ‘;;;’ (4%)
In one real-world case, an attacker compromised an account belonging to a worker with the job title of "Accounting specialist." The hacker immediately created a rule named "..." to hide emails that had the subject line "FW: Payment Receipt".
The attacker then used that same account to send a phishing email with the same subject line to 45 colleagues. Unfortunately, one of those who fell for the bait was the CEO's assistant, who had access to payroll systems, and their account was compromised as well.
Furthermore, as I have described in the past, hackers have been known to create rules in their victims' email accounts, automatically deleting any incoming email that contains words like "virus", "malware", "phishing", or "hack."
The reason? To prevent staff from receiving warnings from their IT department that their email accounts may have been targeted.
Five years ago, the FBI warned businesses of the threat posed by business email compromise (BEC) scammers who create auto-forwarding rules in victims' accounts — and from the sound of things, the malicious mailbox rule threat continues to be a significant challenge.
So, what should you do if you want to better defend your business from an attack like this?
Well, one piece of advice is to disable automatic external forwarding in Exchange Online. Microsoft provides the option, so why not use it?
Also, ensure that multi-factor authentication and conditional access policies are enforced, and monitor OAuth app grants closely, since these can provide persistent mailbox access that survive a password reset.
And if you discover a compromised account, don't just change the password and think that is enough: remove any unexpected mailbox rules, revoke active sessions, refresh tokens, and review sign-in logs for the activity that predated the rule's creation.
And then, just to be safe — go and check your own inbox rules.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
Join 10,000+ Cybersecurity Pros
Follow Fortra® on our mission to break the attack chain. Subscribe to our monthly LinkedIn enewsletter sharing Fortra news and cybersecurity industry highlights.
