Troubleshooting a User Unable to Receive Emails After Compromise

It could also be that Microsoft Defender flagged their mailbox due to the compromise and has placed some restrictions on incoming mail. I’d recommend checking the Restricted Entities section in the Microsoft 365 Defender portal and see if the user's account appears there. If it does, you might need to lift that restriction.

Typically, after a breach, we see some accounts set a rule that deletes incoming emails or sends them to the deleted items folder automatically. Make sure to check that folder too, as the messages might be getting routed directly there without the user knowing.

It sounds like there could be hidden mailbox rules in place that are redirecting or deleting incoming emails. After a compromise, attackers often set these up to cover their tracks. You might want to check any rules on the mailbox using Powershell, as there are parameters to search for hidden rules that might not show up in the standard GUI.

Another thing to consider is if there’s an issue with forwarding. Sometimes once a user's account is compromised, forward rules get set without their knowledge. Make sure to check both the inbox rules and if there's any forwarding set up that might be redirecting emails elsewhere.

Running a message trace could also help clarify the situation. It will show if incoming mails are being delivered or blocked. Sometimes messages get flagged or quarantined after suspicious activity. Plus, have a look at the Defender Quarantine just in case.