What's happening in email security: April 13-19, 2026

Malicious mailbox rules are the post-compromise blind spot nobody patches

Proofpoint researchers found malicious inbox rules in roughly 10% of compromised Microsoft 365 accounts in Q4 2025. The interesting part isn't the rules themselves. It's how fast they're deployed and how long they stick around.

Attackers are creating forwarding and filtering rules within seconds of the first successful login. Tools to automate this across dozens of compromised accounts at once are now commodity. Rule names are a single character or a random string so they slide past admin review.

The mechanics are simple. One rule forwards every message containing "invoice," "payment," or "wire" to an attacker inbox. Another rule moves Microsoft security alerts into the RSS Subscriptions folder, where no one ever looks. A third rule hides replies from legal or IT. The victim has no reason to notice.

Here's the detection gap. Password resets don't touch mailbox rules. A security team spots suspicious activity, forces a reset, issues the all-clear, and the attacker keeps reading every inbound finance email. Proofpoint documented real-world outcomes including payroll hijacking, BEC against live vendor threads where attackers reply directly to active invoice conversations with swapped bank details, and university-scale spam sent from stolen accounts without the owners ever seeing outbound activity.

The BEC angle is what makes this wave different from earlier mailbox rule abuse. Attackers don't have to send any emails themselves. They watch an existing vendor thread, wait for the payment question to land, and insert a forged reply with new wire details. From finance's perspective, they're continuing a conversation they've been in for weeks.

Detection hinges on rule creation events in the Unified Audit Log, rules that forward outside the tenant, rules that move mail into hidden folders like Archive or RSS Subscriptions, and rule names that are a single character or random string. None of this is new tradecraft. What's new is the speed and the automation.

n8n webhooks become the new Dropbox for phishing payloads

Threat actors have been using n8n's legitimate webhook infrastructure since October 2025 to host malware delivery URLs inside phishing emails. The n8n workflows do what webhook.site and Dropbox and Google Drive did before them, routing victims through a trusted domain so reputation-based filters wave the message through.

This is the same pattern email security teams have been fighting for years. The list of abused SaaS platforms keeps growing because the parent domain has to stay on allowlists if the legitimate service is useful to anyone. Random workflow subdomains rotate faster than signature feeds update. The fix is content inspection at the landing page, not domain reputation at the gateway.

Fake data breach alert emails are the latest phishing trap

ESET flagged a scaled phishing tactic that follows the news cycle. Criminals are running campaigns dressed as data breach notifications, sometimes piggybacking on real incidents and sometimes inventing breaches that never happened. The US recorded 3,322 reported breaches in 2025, which produced roughly 280 million legitimate notification emails. That volume has conditioned users to expect "we regret to inform you" messages in their inbox.

AI-generated copy has removed the obvious tells. Grammar is clean. Branding matches. The fake login pages are pixel-accurate. Fake notifications push recipients to "verify" credentials or download what's pitched as a security tool. Expect a measurable spike every time a real breach hits the headlines.