The bad actors out there are clever and they’ll use any means at their disposal. Normally, when a user is successfully phished the first thing bad actors do is manipulate the email handling rules of the mailbox to hide their activity.
Unfortunately, there are quite a lot of different ways to forward email in Office 365 including via the mailbox and via Outlook client rules. It was brought to my attention that there is in fact another way that forwarding can be done, using the Sweep function. You can read more about this ability at:
Sweep rules only run once a day but do provide a potential way for bad actors to hide their activity, however as it turned out Sweep was in fact being exploited by bad actors inside a compromised mailbox.
I have therefore updated my publicly available PowerShell script at:
That will now also check and report on any Sweep rules in finds in mailboxes as well as any other forwards configured in the tenant.
Let me know if you find any other methods that this doesn’t cover and I’ll look at incorporating those as well.