Several users have reported receiving phishing emails, and one at least has admitted to following the link. Investigation found that their Microsoft 365 account had been compromised (despite MFA being enabled, it doesn't look like it was required) and I discovered in their Outlook mailbox rules to move certain messages to RSS Feeds folder (why is that still a thing by default) where they wouldn't be found.
I suspect other users might have been similarly compromised but may not know or want to admit it. Amongst other things I'm investigating I wondered if it is possible to identify all mailboxes that have rules created in the last 14 days, or mailboxes that have non-empty RSS Feeds folder.
You could probably search mailbox audit logs for new-inboxrule events link
With a script like this, you could find all new-inboxRule events and filter them out.
Could probably achieve something similar with get-MailboxFolderStatistics but I am not sure what is the name of the RSS folder displayed in PowerShell.
Not quite as specific as the answer provided by @NNMamdN but this outputs a CSV containing all the rules for all mailboxes on the tenant with the mailbox and some fields that could be used to identify suspicious rules such as redirecting or forwarding the message elsewhere, marking the message as read, or moving it to a different folder.