A difficult to detect phishing attack is catching Outlook users off guard, as it uses the built-in Rules feature to forward emails to an attacker’s third-party mailbox. In most cases, the rules are configured to detect keywords related to finance, such as “Payment”, “Invoice” or “Bank”.

The malicious Outlook rules are created using traditional email phishing methods.  The target will receive an email apparently from an existing contact or organization known to them. A link in the phishing email takes the user to a fake Office 365 login page and requests the user’s credentials. When they have been entered the log-in fails, but the attackers can then install an Email Forwarding rule into the target’s Outlook rules.”