How to Purge All OWA Rules from Office 365

  • Had an email user identified as being hacked this morning. The attack was pretty simple, create OWA rules (invisible to Outlook) that delete all incoming email and mark it as read so that the end user has no visual confirmation that email is being received at all. This hides attempted "reset my password" attacks so that password reset emails can be see by the malicious party, and then perma deleted before anyone can see what other accounts are being attacked.

    Resetting account passwords will obviously stop existing logins. Does anyone know how to purge all OWA rules across the board (as an admin, not as the end user) via PowerShell so that we can be sure that all rules have been removed for everyone?

  • This would work on prem exchange. Probably works with a tweak for o365.
    Get-mailbox | get-inboxrule | remove-inboxrule