How can an attacker persistently access an Exchange user's emails after obtaining their password, even if the password is later changed?

After gaining a user's password (e.g., user test1), an attacker can add a forwarding rule via the Exchange Control Panel (ECP) or via SOAP XML messages. For example, using the **UpdateInboxRules** operation, they can create a rule that forwards all incoming emails to a controlled account. This persistence method remains active even after test1 changes their password, as the rule is tied to the mailbox, not the password. For more details, refer to the original article on Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails.