← All articles

Hackers spied on a stock exchange executive's Outlook mailbox for five months via malicious OAuth app and inbox-rule persistence

Researchers have detailed a cyber-espionage campaign in which attackers maintained access to a global stock exchange executive's Microsoft Outlook mailbox for roughly five months. The intrusion relied on a malicious OAuth application and inbox-rule persistence to quietly read and forward mail while evading detection. By abusing OAuth consent rather than stealing a password, the attackers retained access that survived password changes and looked like routine application traffic in logs. The five-month dwell time on a single high-value executive points to a patient, intelligence-driven operation rather than opportunistic crime. The case reinforces the now-recurring pattern of OAuth-app abuse and malicious inbox rules as the core of stealthy Microsoft 365 mailbox compromise.

Check
Audit Microsoft 365 for unfamiliar OAuth app consents and mailbox inbox rules, especially on executive accounts. Review consent-grant and rule-creation logs for the past six months.
Affected
High-value Microsoft 365 mailboxes, particularly executives. OAuth-consent abuse plus malicious inbox rules grants persistent, password-change-surviving access that blends into normal application traffic.
Fix
Restrict third-party OAuth app consent to admin approval. Alert on new mailbox-forwarding rules. Enforce phishing-resistant MFA and periodically review granted OAuth applications on sensitive accounts.