In a recent piece on the KnowBe4 blog, cybersecurity expert Roger Grimes shines a much-needed spotlight on an often-overlooked but increasingly dangerous threat vector within Microsoft 365: malicious email rules, forms, and connectors. These seemingly innocuous features—long part of Microsoft Outlook and Exchange—are being hijacked by cybercriminals to silently maintain persistence, reroute communications, and steal sensitive data, often long after a breach has supposedly been “resolved.”
Grimes has been warning about these risks for decades, but what’s alarming now is the scale at which these tools are being exploited, especially in the cloud-based Microsoft 365 ecosystem used by over 300 million users globally. Most users—and even IT admins—don’t realize that even after changing login credentials or reinstalling systems, an attacker’s foothold can persist through rogue rules and connectors that live in the backend. These mechanisms are stealthy, rarely show signs of activity, and usually don’t log conspicuous events.
He explains how attackers often start by gaining credentials via phishing, sometimes bypassing multifactor authentication (MFA) using adversary-in-the-middle techniques. Once inside, they exploit Outlook’s rules and forms to manipulate how email is sent, received, or hidden. Attackers can delete sent emails, reroute replies, or silently exfiltrate sensitive data—all without alerting the victim.
Worse still, Exchange connectors, traditionally used to manage email flow at the server level, are now becoming an increasingly popular attack vector. Many Microsoft 365 users are unaware that these connectors even exist—let alone that they can be weaponized. Connectors, when compromised, allow attackers to send and receive mail through trusted channels, while masking their activities. Grimes notes that Microsoft documentation and support teams have recently increased their focus on rogue connectors, suggesting a noticeable rise in real-world exploitation.
One compelling example Grimes shares involves a savvy small business owner who fell victim despite using MFA. An attacker gained access, scanned his inbox for invoice communications, and then sent altered payment instructions to clients. Using a rogue Exchange connector, they hid traces of the scam. The fraud wasn’t uncovered until significant financial damage had already occurred. The swift response by Microsoft support—immediately pointing to connectors—demonstrates how widespread and known this technique has become among professionals, even if users are still in the dark.
The article doesn’t just sound the alarm; it offers actionable defenses. Grimes advises all Microsoft 365 users and admins to regularly check for unexpected rules, forms, and especially connectors through the Microsoft 365 admin console. Legitimate setups are rare for small businesses and individual users, so any unknown or oddly named entry should be scrutinized. Microsoft itself has published new guidance on identifying and responding to connector-based attacks.
Additionally, Grimes strongly recommends upgrading to phishing-resistant MFA, such as FIDO2 security keys or passkeys, which are far less vulnerable than traditional OTP-based systems. And perhaps most importantly, he underscores the need for user education—both end users and administrators must understand that what seems like a minor email compromise can actually be the beginning of a full organizational breach.
Grimes concludes that if you’re using Microsoft 365—no matter how small your setup—you’re potentially at risk. And if you suspect your email has been compromised, don’t just change your password. Check your rules, forms, and connectors—or someone else might still be reading your mail.
Alliance IT understands that these issues and risks can seem overwhelming to the everyday user. If you are an SMB running Microsoft 365 in your organization, don’t wait for a problem to find you. Call the experts at Alliance IT – we can help you to assess your situation and mitigate future issues before they hurt your business. At Alliance IT, we help small business grow, thrive and compete. How can we help you?
