CASE 1: As an admin, you set up alerts at your tenant to warn you when someone creates an Outlook rule to forward emails externally.
CASE 2: Imagine the scenario in which a user’s password was caught by phishing and his account doesn’t have 2FA (OMG) enabled. When you discover this incident, you of course changed his password and enabled the 2FA. Sometime later, the same user receives some suspicious emails like someone still has access to his mailbox and their content.
CASE 3: User complaining that some emails are missing/not received in his mailbox
All these cases could be an inbox rule at the users’ mailbox. To check this with PowerShell do the following:
Connect to Microsoft 365 with PowerShell
Connect-MsolService
Run the command below to get the inbox rule from the mailbox. Don’t forget to change USERMAILBOX with the name of the mailbox
Get-InboxRule -Mailbox USERMAILBOX | Select-Object Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage | Where-Object {($.ForwardTo -ne $null) -or ($.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectsTo -ne $null)}To remove the rule:
Get-inboxrule -Mailbox USERMAILBOX -Identity "RULE-NAME" | Remove-InboxRule
