To find when a rule was created in Office 365 Outlook, you can perform an audit log search in the Microsoft 365 security & compliance center. Look for new rules, or rules that have been modified to redirect the mail to external domains. The number of rules should be known and relatively small. You can do an audit log search to determine who created the rule and from where they created it. If you see something unusual, contact the creator to determine if it is legitimate. Additionally, you can use the Search-Mailbox cmdlet in Exchange Online PowerShell to do a specific search query against a target mailbox of interest and copy the results to an unrelated destination mailbox.
To determine where the user was located when accessing the account, you can check the unified audit log in the Microsoft 365 security & compliance center. The report shows activities that could indicate a mailbox is being accessed illicitly. It includes date, IP address, user, activity performed, the item affected, and any extended details.
References:
- Phishing investigation - Investigation steps
- Responding to a compromised email account - Secure and restore email function to a compromised Microsoft 365 account and mailbox
- How to determine whether your Microsoft 365 account has been compromised - Problem
- How to determine whether your Microsoft 365 account has been compromised - Solution