A typical tactic after a business email compromise event is the creation of email forwarding rules using any one, or more, of these methods by an attacker:
It is therefore good practice to regularly check and verify the email forwarding rules inside your Microsoft 365 environment.
I have created a free PowerShell script exactly for this purpose, which you can find here:
and the video:
will provide a walk through of its execution.