Malicious mailbox rules inside Microsoft 365 are emerging as one of the most quietly effective post-exploitation tools in the modern attacker's arsenal — and UAE organisations are bearing a disproportionate share of the damage. New data from Q4 2025 shows one in ten compromised accounts had a malicious rule created within hours of initial access. This is how the attack works, why it is so hard to detect, and what security teams must do now.

[For more news, click here]

The Invisible Threat Living Inside Your Inbox

There are no exotic exploits here. No zero-days. No custom malware deployed across a network perimeter. In a growing number of enterprise breaches across the UAE and wider MENA region, attackers are achieving persistence, exfiltration, and full communication control using a feature every Microsoft 365 user interacts with daily: the humble inbox rule.

What makes this threat particularly dangerous for CISOs is precisely its mundanity. Mailbox rules are native, expected, and trusted. Security tooling tuned to detect anomalous processes or lateral movement often has no visibility into what is happening at the application layer of a cloud email platform. By the time a suspicious rule is identified, the attacker may have been silently harvesting communications for weeks.

Tech Revolt's investigation, drawing on incident response data, threat intelligence from the UAE Cybersecurity Council, and research from Proofpoint, examines how this attack vector works in practice — and why it demands more attention from security leadership than it is currently receiving.

How Attackers Get In: The Entry Points

Before a single mailbox rule is created, an attacker needs inside the environment. In Microsoft 365, the most common initial access routes are well-documented but persistently effective:

• Credential phishing — still the dominant vector, accounting for 75% of cyberattacks in the UAE according to the UAE Cybersecurity Council, before escalating to more advanced techniques

• Password spraying and brute-force — exploiting weak or reused credentials at scale

• OAuth consent abuse — tricking users into granting third-party applications excessive permissions to mailbox data, bypassing password controls entirely

The scale of the threat environment matters here. The UAE Cybersecurity Council records between 90,000 and 200,000 attempted cyberattacks targeting the country every single day. Against that volume, even a small percentage of successful initial access events translates into a significant number of compromised environments.

Once inside, the attacker's priority is not disruption — it is invisibility.

The Mailbox Rule as a Weapon

Native Microsoft 365 mailbox rules allow users to automatically sort, forward, delete, or flag incoming email based on defined criteria. Attackers have learned to repurpose this functionality with surgical precision.

Analysis of compromised accounts across Q4 2025 found that approximately 10% had at least one malicious mailbox rule created shortly after initial access — a figure that security teams should treat as significant underreporting, given how infrequently these rules are actively audited.

The attack objectives this technique serves fall into four categories:

1. Data exfiltration at scale

Rules are configured to automatically forward emails matching high-value keywords — "invoice," "wire transfer," "contract," "payroll" — to external, attacker-controlled mailboxes. The data leaves the organisation continuously, automatically, and without triggering conventional data loss prevention alerts because it uses a legitimate platform feature.

2. Security alert suppression

Rules that silently delete, mark as read, or redirect emails can neutralise the very notifications designed to expose the attacker. Password reset confirmations, MFA enrollment alerts, suspicious login warnings, and replies flagging unusual behaviour are all candidates for suppression. The victim sees nothing. The attacker maintains control.

3. Cloud-native persistence

This is the detail that should concern CISOs most. Auto-forwarding rules survive password resets. If a compromised account has its password changed but the malicious rule is not identified and removed, the attacker retains full visibility into that mailbox indefinitely. The rule is the persistence mechanism — not the credential.

4. Man-in-the-middle-like communication manipulation

By routing specific correspondence to hidden folders, then responding from the compromised account, attackers can intercept ongoing business conversations, impersonate the account holder, and manipulate vendor or financial communications — all without touching the network layer. Unlike traditional man-in-the-middle attacks, there is no traffic to intercept. The platform does the work.

Case Study: The Accounting Specialist Breach

The following incident, drawn from incident response observations, illustrates how these techniques combine in a real-world attack chain.

Initial access was gained on an account belonging to an Accounting Specialist — a role with natural visibility into financial correspondence, vendor communications, and payment processes. Shortly after access was obtained, the attacker created a mailbox rule targeting any email containing "Payment Receipt" in the subject or body, automatically moving matching messages to the Archive folder. The victim had no visibility into these emails. The attacker did.

From this foothold, the attacker launched an internal phishing campaign targeting 45 additional users within the same organisation. The campaign's centrepiece was a "Payroll Enrollment" email sent from the compromised Accounting Specialist account — a trusted internal sender — to the company's payroll specialist, designed to initiate a fraudulent payroll-related transaction.

The mailbox rules played a decisive role at this stage. Any replies flagging the email as suspicious, any security alerts, any inter-departmental warnings — all were suppressed before they reached the compromised account's inbox. The attack had, in effect, given itself a clean operational environment inside the target's own infrastructure.

This attack chain — credential compromise, rule creation, alert suppression, internal phishing, financial fraud — is not an edge case. It is a repeatable playbook.

Why Detection Is Failing

The 77% of UAE CISOs who reported material data loss in the past year — as documented in Proofpoint's research — are not failing because of a lack of security investment. Many are failing because their detection models were not built for this class of attack.

Several factors work in the attacker's favour:

Legitimate tooling: Mailbox rules are a standard feature. Security operations centres are not typically alerting on rule creation events — they are alerting on malware signatures, impossible travel, and known-bad IP addresses. The attacker never touches any of those tripwires.

Audit gaps: Microsoft 365 logs mailbox rule creation events in the Unified Audit Log, but only if auditing is enabled — and only if someone is actively reviewing those logs. Many organisations have the data and are not looking at it.

OAuth blind spots: When initial access is achieved via OAuth consent abuse, the attacker operates under a legitimate application token. There are no failed logins. No suspicious authentication events. The access looks like a sanctioned third-party integration.

Cloud-speed attack timelines: From initial access to malicious rule creation, the window can be measured in minutes. By the time a weekly or even daily audit review surfaces the anomaly, the attacker has already established multiple persistence mechanisms.

What Security Teams Must Do

Addressing this threat requires action across three phases: prevention, detection, and response.

Prevention

Disable external auto-forwarding at the tenant level: Microsoft 365 allows administrators to block automatic forwarding to external domains via Exchange Online mail flow rules and outbound spam policies. This single control eliminates one of the most common exfiltration and persistence mechanisms. It should be enforced by default in every M365 environment. If it is not currently configured, it should be treated as a critical gap.

Enforce phishing-resistant MFA: Standard SMS or authenticator-app MFA is increasingly bypassed through adversary-in-the-middle phishing kits. Security teams should be moving toward FIDO2/passkey-based authentication for all privileged and high-risk accounts, supplemented by device compliance checks and Conditional Access policies that restrict access based on location and risk score.

Monitor OAuth application registrations: Every new OAuth consent grant in the tenant should be reviewed. Restrict user-level consent for third-party apps and require admin approval for any application requesting mailbox access permissions.

Detection

Enable and monitor the Unified Audit Log: Ensure auditing is active across the entire tenant. Configure alerts for mailbox rule creation events — particularly rules involving external forwarding addresses, deletion actions, or keyword-based filtering on sensitive terms. Microsoft Sentinel and Defender for Cloud Apps both support this natively.

Hunt for rules created immediately after authentication events: The Q4 2025 data shows rule creation happening shortly after initial access. A detection rule correlating new mailbox rules with first-seen IP addresses or high-risk sign-in events will surface this pattern.

Review OAuth grants quarterly: Audit connected applications for mailbox access permissions. Any application with access that cannot be attributed to a known, approved business use should be treated as a potential threat.

Response

When a malicious mailbox rule is identified, the following steps are not optional:

1. Remove all unauthorised rules — audit for hidden or conditional rules beyond the obvious ones

2. Revoke all active sessions and refresh tokens — password resets alone do not terminate persistent access

3. Analyse Entra ID sign-in logs — identify the initial access event, the source IP, user agent, and any subsequent lateral movement

4. Audit and revoke suspicious OAuth grants — remove any unrecognised application with mailbox permissions

5. Treat the account as fully compromised — even if the mailbox rule appears to be the only indicator, assume the attacker had complete visibility into all correspondence from the point of initial access

The Broader Picture for UAE Security Leadership

The UAE's position as a regional technology and financial hub makes its organisations high-value targets. The combination of a sophisticated attacker community, a rapidly expanding cloud-first enterprise environment, and a daily attack volume measured in the hundreds of thousands creates a threat landscape that demands corresponding sophistication in defence.

Mailbox rule abuse will not be the last time attackers weaponise a platform's native features against its users. The pattern — gain access, use legitimate tools, stay invisible — is the defining characteristic of modern cloud-native adversaries. Security programmes that are still primarily oriented around perimeter defence and malware detection are structurally unprepared for it.

The entry point, as the data consistently shows, remains email. Seventy-five percent of attacks in the UAE begin with a phishing email. That single statistic should be the starting point for every security team's 2026 threat model.

Key Takeaways for CISOs

• Malicious mailbox rules are a post-exploitation technique, not a vulnerability — they cannot be patched away

• One in ten compromised M365 accounts in Q4 2025 had a malicious rule created shortly after breach

• Rules survive password resets — credential rotation alone does not eradicate this threat

• Disabling external auto-forwarding at the tenant level is the single highest-impact preventive control

• Detection requires active audit log monitoring, not passive alerting on traditional threat indicators

• Response must include session revocation, OAuth audit, and full account compromise assumption