I recently read an article about a growing email “threat vector” impacting Microsoft 365 (M365) users, that exploits email rules, forms, and connectors on email clients and servers, particularly in the work environment. If you use the M365 email client as part of your home subscription, you also can be susceptible to this means of compromise.
The threat involves server-side email deployments like malicious connectors, rules, and apps that keep working even after you change your password. To describe the role of a connector, think of your email as a house. Your inbox is the living room where you first see the messages. There you have rules which act as little helpers to guide your guests to specific “rooms” in your house. “If the rule is ‘newsletter,’ the email goes in that room over there.” Connectors control how email flows in and out of your house to integrate to other mail systems or services.
Attackers love anything that lives on any server (not just your device) that keeps working after you change your password or buy a new laptop/device. For home users, similar “invisible plumbing” shows up as server-side inbox rules and mail forwarding as well as compromised and malicious apps with ongoing access.
As with so many other breeches, attackers attempt to gain access to your email account with a simple phish:
- A fake email: “Click here to view the document.”
- A fake meeting invite or voicemail that asks you to sign in.
- A page that looks like Microsoft asking you to approve an app.
If you fall for the phish and enter your username and password or click “Allow” to grant an app permission, the attacker now can access your account.
Once inside, attackers don’t just read your email and leave. They often set up long-term access where they can hide their tracks and steal money or data over time:
- By creating malicious inbox rules that:
- Forward certain emails (e.g., those with “bank”, “invoice”, “password”) to themselves.
- Move/delete emails so you never see the security alerts, bank messages, or replies that might expose the scam.
- Using mail forwarding: A single setting in Outlook on the web can quietly forward all your email to another address. It’s such a common attacker trick that threat intel teams specifically watch for this behavior.
- Malicious apps (OAuth): Feels “connector-like” for home users in that you may see a Microsoft prompt that looks legitimate, asking permission for “App XYZ” to read/send email on your behalf. Clicking on “Allow,” gives the app access to your mail and files directly from the cloud. These malicious OAuth apps can keep reading your email even after you change your password or turn on MFA, until you go in and manually remove the app’s access.
This is very similar in spirit to a malicious connector in that it’s a trusted-looking configuration on the cloud server that silently keeps the attacker connected.
This really matters for home users because if your personal M365/Outlook.com address is your “main email,” it’s probably the recovery point for your:
- Bank and credit card accounts,
- PayPal, shopping sites, and subscriptions,
- Social media and maybe even crypto or investment accounts.
If an attacker has ongoing access to your mailbox, they can repeatedly:
- Reset passwords on other sites and take over those accounts.
- Watch for statements, tax docs, and IDs for identity theft.
- Impersonate you to friends and family (“Can you send me money?”)
In other words, it’s not just about reading your email, it’s about controlling your digital life.
So, what can you do in such a situation? First recognize the warning signs that something’s wrong.
Watch for:
- Password reset emails that never arrive.
- Friends or family asking, “Why did you send me that weird link?”
- Security alerts from Microsoft or your bank about logins you don’t recognize.
- Emails that people say they sent you, but you can’t find anywhere—not even in the Junk or Deleted folders.
These are the common symptoms seen in real cases where malicious rules or server-side settings were in play.
While this all seems scary, you can develop your own home-user “incident response plan” by:
- Changing your Microsoft password to something long and unique.
- Turning on multi-factor authentication (preferably an authenticator app over SMS/text).
- In Outlook on the web, checking:
- Mail /Rules and deleting anything you don’t recognize.
- Mail /Forwarding and turning off forwarding unless you set it.
- In your Microsoft account, reviewing apps and services with access and removing anything you don’t know or don’t use.
- Logging into your most important other accounts (bank, PayPal, Amazon, etc.), to enable MFA there, and checking for unusual activity.
Even if you’re just one person with a home Microsoft 365 account, you’re still using the same powerful cloud platform as big businesses and attackers know it. So don’t just think “password and antivirus,” think, “What could keep working after I change my password?”
By remembering to occasionally check your email rules, forwarding, and connected apps, you’ll be miles ahead of most people and much harder for attackers to exploit.
