A typical tactic after a business email compromise event is the creation of email forwarding rules using any one, or more, of these methods by an attacker:
– Use rules in Outlook Web App to automatically forward messages to another account
– Sweep
It is therefore good practice to regularly check and verify the email forwarding rules inside your Microsoft 365 environment.
I have created a free PowerShell script exactly for this purpose, which you can find here:
Office365/o365-exo-fwd-chk.ps1 at master · directorcia/Office365 · GitHub
and the video:
https://www.youtube.com/watch?v=Oqk_yd6U3bk&t=16s
will provide a walk through of its execution.
CIAOPS 
Nice script. How do i modify this script to export this info to a csv
LikeLike
Use the -CSV command line parameter i.e .\o365-mx-check.ps1 -csv
LikeLike