Why would a hacker/scammer put a domain INTO my exchange online admin?

OK so this is a weird one.  I've been doing this a fairly long time but I'm not a full time exchange admin.  I help my clients with exchange online often, but I'm a local IT pro, doing all sorts of screwdriver and software work, not just exchange.  So maybe this isn't as bizarre as I think it is, but let's see.

My client stopped receiving email 2 days ago.  Alerted me to it yesterday.  They don't know their password but no devices are asking for passwords, so I suspect it's not a password issue.  I get logged into my admin and reset their password so we can get into their account.  Suddenly they start getting asked for PW on phone and outlook, so we know that the password hadn't been changed prior.

I get into account and see new rules sending all emails into archive and trash.  So that explains that.  So someone broke into the account with the correct password.  Easily enough explained.  Though weird that it would happen if the user didn't know their own password.  So, one question is how did the scammer get into the account.  I have looked at the login logs but I don't know what to sort/filter by to really find out anything helpful.  Any ideas?

So I got into the account and upon resetting his password he is forced to enable MFA.   So that's done.

I'm in the admin and what do I find?  Two NEW domains in the settings.  They are set up for exchange online.  No users though.

Not only that but I can't REMOVE the domains that aren't mine.  I get this error when trying to remove it: "The domain ‎coburnsfleetservices.com‎ can't be removed at this time because it was purchased from ‎Microsoft 365‎. It can only be used with your current ‎Microsoft 365‎ account. You can remove it from the account once the subscription expires or is canceled."

Also, in the emails missed in the past 48 hours we got one that said this: "A verified domain was added to your Avenue A Realty Advisors LLC account

If this domain wasn't added by an admin in your organization, credentials might have been compromised and we suggest reviewing your password and multifactor authentication settings."

I searched online and found contact info for one of the stolen/given domains.  Called them and they said they had been hijacked 2 weeks ago, and their email used to send out payment requests to thousands of email addresses.  Thought they had it solved a few days ago and it had been silent.  Now this.

So a second thing I'd like to find out is when exactly those domains were put into my exchange online account. Can I find that info from the logs?

Additionally, WHY would someone move unrelated domains into my account?  Maybe is the assumption that that happened before 2 weeks ago when that company's domain had been used to send out mass mail?  Doesn't seem possible, because that company would have figured out that they no longer controlled their own domain and they couldn't have gotten control of the account again.  Or...?  I don't know.  But while I've seen users tricked into giving out their passwords dozens of times, and their email used to try to solicit money from vendors, I've never seen another domain slipped in.

Any ideas?  And suggestions how to search the logs to get to the bottom of the missing puzzle pieces?  Thanks for any leads!