I typically follow the following 14 steps when an account is compromised. Is there anything else I am forgetting?

1. Reset account password
2. Sign out of all sessions
3. Remove the account from admin roles
4. Re-enroll MFA
5. Check for enterprise apps authorized for the user
6. Scan devices for malware
7. Review mailbox rules
8. Review mail forwarding
9. Move any emails that were deleted/moved to a new folder
10. Review audit logs for any other unusual activity
11. Unblock the account to allow sending emails
12. Enable MFA
13. Review email apps and change availability
14. Review sign-in logs and check for additional security measures you can take