If the mailbox is in o365 you want to create a mail flow rule in o365.
You can set a rule against the sender's email address
ref link: https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules

You can also add the email address to blocked senders
ref link:  https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide

I am looking for anything that could be done from outlook.  The bad actor did not have 365 access. Only the one users mailbox.

Fair enough
In Outlook Select Rules at the top>Manage Rules and Alerts
Select New Rule
Start From a Blank Rule> click Apply rule on messages I receive> Select Next
Select "with specific words in the sender's address" (add the email address)select Next
Select Permanently delete it > click finish

all rules are server side now

as an admin, you can easily find out by running

get-inbox -mailbox <mailbox>

you can see what has been configured by the hacker.

Usually, it is a forwarding rules, and I will always recommend to block auto-forwarding as soon as possible.

another thing is to implement MFA. that immediately block out hack password.

Email will be in the system for 30 days before disappeared for good, or if it has rentention policy, it can has longer than 30 days as well. 

In short, they need to review all security settings.

Recommend to use CIS benchmark as first hop https://www.cisecurity.org/cis-benchmarks/#microsoft_365

Correcting the command on Jian's comment. After connecting to powershell for Exchange Online the actual command is
Get-InboxRule -Mailbox "emailaddressoftheuser" | Select -ExpandProperty:Description

We did put the mail flow rule in to block autoforwarding and MFA was in place. In this case, the attacker had a key logger on the victims phone, so they were able to get the tokens.

The rule the attacker put in place was to move emails from certain domains to the RSS feed folder. For whatever reason, the archive vendor did not pick this up and said it was because it was moved to that folder. I tried and tried to explain to the client that this does not matter and the email should have been picked up by the archive because they came to the users email box. I am basically trying to prove to the client that is the case and unless an admin put a mail rule in place on the 365 side that it does in fact go to the users mailbox and something is wrong with their archive. Basically I am trying to prove that no such rule can be created on the outlook side that prevents the email from arriving at the mailbox. This is what I need to confirm.

No. any normal user can do that (create mail rule)  without admin rights. 

If it is office 365, and logging works

download this file. https://microsoft.github.io/CSS-Exchange/Admin/Get-SimpleAuditLogReport/

you can find

$1=Search-AdminAuditLog -Cmdlets  New-inboxrule

$1  | C:\Scripts\Get-SimpleAuditLogReport.ps1 -agree 

This will see who have created what rule.

you can run all adminauditlog and see "who" has modify "what" before the intrusion. 

Yes I know anyone can create a mail rule, but can any of the rules created there actually prevent the email from coming in to the mailbox before it is acted on by the rule?

The vendor is Smarsh. Your are correct. I don't really need to blame them, but now the client is wanting us to disable RSS feeds via GPO which has absolutely nothing to do with the issue. I did however get in to the client smarsh account yesterday and while they archive "all mail", they were not keeping this users mailbox. So it was not really an issue with Smarsh, RSS feeds etc. The client manages their Smarsh and just never added the guy. Guess that is what happens when an accountant is the administrator.

the gap is clear :) 

https://central.smarsh.com/s/article/How-to-Setup-Journaling-for-O365 <-- this clearly will take ALL emails as backup regardless whether they have been added to the group

Unless smarsh use a different "charging model" and discharge when they received the journal email. 

and by reading https://central.smarsh.com/s/article/Can-Outlook-calendars-be-archived

it also tell me they are not using API to read the mailbox - so it is very interesting how such a  "bad configuration" can make such a huge difference.