- Run Antivirus and Antimalware scans on the users devices, make sure you are not going to change the password and just immediately compromise that user again
Once you are confident their devices are clean.....
- Reset their password in AD if they are local, or in the cloud if they are not.
- Assume if they use that password for anything else that has also been compromised, and have them change/update them locally as well
- Run a message trace for any mail sent by your compromised user over the last few days, make sure other users in your org did not get the same junk sent to them. If anyone has, follow up when them and run antivirus etc scans on them too.
Once all of that is done hopefully the situation is good. Perhaps talk to your user and figure out what behavior caused them to get compromised, but for now focus on limiting impact and protecting yourself.