We thought the end user was just bad at making outlook rules and made a slight mistake. Turns out a hacker logged into their company webmail and created a rule to send everything to the deleted folder.
The first thing the end user noticed was they were not receiving any emails. We checked the server and emails are certainly being delivered. But the inbox is surely void of any new emails. Strange to say the least.
After some searching we find a rule to send all incoming mail to the deleted items folder. Then we notice movement in the folder. Someone is actively reading their deleted items!
The first step is to immediately change your email password. The new password should be much stronger than the previous password (you were just hacked after all!) Then delete the mail forwarding rule.
Then comes the tedious task of going through your deleted items to identify any sensitive data that may have been compromised. Then contacting all the affected parties to let them know.