No New Email Received After Account Compromised

Often after an o365 account has been compromised, email sent to the account will not appear in the user's email inbox. This is because the attacker created a mail rule to either delete or move all incoming mail to different folder. The attacker does this so that the account owner is unaware that emails are being sent out from their account. Messages in o365 are not automatically deleted but instead are moved to a deleted folder, where after a period of time are permanently deleted. 

To find the hidden or moved messages it is easiest to check the mail on the Outlook o365 site. This can be accessed through the myHancock portal or by going directly to https://outlook.com and entering the user's Hancock College credentials. 

Once inside Outlook the user will need to click on the "Gear" icon found in the upper right corner of the window, Once clicked, a link at the bottom of the panel on the right hand sign "View all Outlook settings" must be clicked:

gear icon

A mail settings panel will be displayed. To find the mail rule which is redirecting email messages click on the "Mail" in the left-most column and "Rules" in the center column. This will display the mail rules currently in place for the user's email address.

mail rules

Attackers often create the offending mail rule with the name ".".  The mail rule can be disabled by clicking the switch to the left of the rule, or can be deleted by clicking the trash can icon to the right of the rule. Before deleting the rule the user should click the pencil icon to see where the messages are being routed to. This brings up the specifics of the rule. Under the "Add an Action" section will be rules for where the message is to be deleted. Take note of this folder, or if the action is to be deleted.

add an action

At this point the email rule can be deleted and the user can return to their mailbox by closing the mail settings window by clicking the "x" in the top right corner.

The user should navigate to the folder the email was being redirected to, or the "Deleted Items" folder:

deleted items

All the missing emails should be found in this folder. The user should select the emails that were missed either by clicking the check box at the top of the message list to select all messages in the folder, or by selecting each individual message. To the right, the user can mark the messages as unread and click the "Move" link to move the messages back into the Inbox.

When the mail rule has been inactivated or removed, all future email should show up in the Inbox.