Recently had an Office 365 account compromised from a phishing website, which then sent out a mass-mail. Their email otherwise continued to function. Seeing the spam mail, I blocked the phishing site and reset the user's password. When they logged back in they weren't able to receive or send email, presumably because they were automatically added to "Restricted Users" in Office 365 Security & Compliance.
I removed them from this list by selecting to "Unblock" their account, but mail flow has not been restored several hours later.
I've been checking wherever I can think of in Microsoft 365 admin center, Security & Compliance and Exchange admin center, (including Get-BlockedSenderAddress
through the Exchange Online PowerShell as suggested on Removing a user from the Restricted Users portal after sending spam email) for something I've missed but I can't seem to find the issue.
Any suggestions on where I should look? I haven't found indication of an error, although there's probably one somewhere. For instance mail sent from the account appears in "Sent" although goes nowhere. Outlook and web-based mail are behaving the same. I feel like I'm missing something obvious?
Glad to know this issue is resolved by yourself. You could mark it as answer.
Or you also could use message tracking to check what process is blocking this message. How to Tell Which Transport Rule Was Applied to an Email Message https://practical365.com/exchange-server/tell-transport-rule-applied-email-message/
Solved. Apparently the compromise created this incoming mail rule:
I then selected the conversations from "Deleted Items" and did
right click -> Stop ignoring
.