How to stop mail sending IMMEDIATELY if account compromised

You might want to take a look at this PowerShell-script:

https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/RemediateBreachedAccount.ps1

This script will allow you to execute a recommended set of steps to fully re-secure and remediate a known breached account in Office 365.
It peforms the following actions:
Reset password (which kills the session).
Remove mailbox delegates.
Remove mailforwarding rules to external domains.
Remove global mailforwarding property on mailbox.
Enable MFA on the user's account.
Set password complexity on the account to be high.
Enable mailbox auditing.
Produce Audit Log for the admin to review.