Petra Security

When Attackers Modify Your Mail Flow

How attackers abuse inbound connectors for persistence and internal phishing in M365

Adithya Vellal·March 3, 2026

Attackers targeting Microsoft 365 are refining every stage of their approach: more convincing phishing, stealthier initial access, and programmatic data exfil.

Attackers Are Getting More Sophisticated

Persistence is evolving too. Traditional tactics like adding inbox rules or moving items to folders still happen, but attackers are increasingly getting crafty.

Attackers are increasingly getting crafty.

5 Minutes From Initial Access to Modified Mail Flow

The attacker initially logs in at 9:37:14 AM. The attacker adds two inbound connectors, at 9:41:22 AM and 9:42:21 AM respectively, within ~5 minutes of initial access.

Timeline of attacker actions, showing the initial login followed by the creation of two inbound connectors within roughly five minutes.
Timeline of attacker actions, showing the initial login followed by the creation of two inbound connectors within roughly five minutes.

What's An Inbound Connector?

An inbound connector is a mail flow configuration that defines which external systems a tenant trusts to send email into it. Legitimate uses include routing mail from on-premises Exchange servers, accepting mail from third-party gateways, and applying security restrictions for business partners.

Basically, inbound connectors tell Microsoft: "Mail from these IPs is trusted."

When attackers create malicious connectors, they can whitelist attacker-controlled IP addresses, bypass authentication checks, and inject email directly into the tenant, establishing a backdoor that persists even after account lockout.

What's The Attacker Trying to Do?

The two inbound connectors shared the same telling characteristics:

  • Type: OnPremises
  • Sender IPs: attacker-controlled infrastructure — 151.244.170.227 (Interserver, NY data center) and 151.241.8.103 (OVH, Germany data center)
  • Sender Domains: * (all domains)
Connector configuration details showing the OnPremises type, attacker-controlled sender IPs, and a wildcard sender-domain setting.
Connector configuration details showing the OnPremises type, attacker-controlled sender IPs, and a wildcard sender-domain setting.

By configuring the connector type as OnPremises, the attacker signals to Microsoft 365 that the traffic represents trusted on-premises infrastructure. Allowlisting all sender domains enables launching tenant-wide phishing campaigns from attacker-controlled servers.

Even after they're locked out, they can deliver phishing emails into the tenant from infrastructure they control.

The phishing emails are guaranteed to land in users' inboxes, and they'll look like they're coming from internal users.

Takeaway: Containment Doesn't Stop at Password Reset

Resetting the password and revoking sessions wouldn't fix it. The connectors would still allow phishing into the tenant. Comprehensive incident response requires tracking all attacker actions, not just account remediation.

This is why it's so important to track every action the attacker takes while they have access.

See what's in your last six months of logs.

Run six months of M365 logs through Petra and get insurance-grade forensics within 48 hours. Five minutes to set up with no sales call.