We had an end user who was breached and we found this out when the account sent out hundreds of emails. The email was blocked automatically and we shut down the account, reset the password and revoked/reset MFA.
Once we went through logs, we saw the compromised account logged into in a different US state and the MFA conditional access was fulfilled and allowed. Digging further, we found that an alternate number was added into authentication methods a week back and the number had a country code from Nigeria. After meeting and reviewing with the user, she does not recall any suspicious emails, or communication with anyone about logging in or anything like that.
So what do we do? Is it safe to assume she did do something wrong? If yes, how do we prove it? Or is this even scarier where the attacker somehow gained access to the account without any social engineering whatsoever?
Also, we are aware of the outbound emails. How do we ensure no data was sent off our tenant? Is there a single report I can run to investigate any compromised data?
EDIT: We have CA setup to enforce MFA with SMS Text or Msft Authenticator. We are in the middle of upgrading to phishing resistant MFA but aren't there yet. Other CA policies are that the login must have a source in the US and cannot use any legacy/old logins.