Hackers Exploit Microsoft 365 Mailbox Rules to Retain Access After Password Change
What Happened — Security researchers found that adversaries who have obtained a user’s Microsoft 365 credentials can create or modify mailbox transport rules. Those rules forward, copy, or delete messages, allowing the attacker to keep reading or exfiltrating email even after the victim changes their password.
Why It Matters for TPRM
- Persistent mailbox rules bypass typical credential‑reset controls, exposing confidential communications.
- Compromise can spread to other SaaS services linked to the mailbox (e.g., SharePoint, Teams).
- Many third‑party risk assessments rely on “password change = remediation,” which this technique invalidates.
Who Is Affected — Any organization that uses Microsoft 365 (cloud‑based email) – finance, healthcare, government, education, and most enterprise SaaS customers.
Recommended Actions
- Conduct an immediate audit of all mailbox transport rules for every user.
- Remove any rules you did not create and lock down rule‑creation permissions to admin‑only.
- Enforce MFA and conditional access policies for all M365 accounts.
- Deploy mailbox activity monitoring and alert on rule changes.
Technical Notes — Attack vector: compromised credentials used to add malicious inbox rules (no known CVE). Data at risk: email content, attachments, and any downstream data shared via linked Microsoft services. Source: Graham Cluley on Fortra