Determined that the user account had been compromised, likely by token theft. The compromised account had some hidden inbox rules on the mailbox, which made it appear as though the customer was not receiving emails. We remediated the situation by changing the user's password, revoking all current active sessions, and requiring re-registration of multi-factor authentication. By chance, we were lucky enough to have stopped the attack before emails were sent from the compromised account. We recommend that the customer acquire Microsoft Entra ID P2 licenses for all users to enable features like advanced sign-in policies that consider factors like location, impossible travel, and also enable advanced insights and proactive remediations and reporting for IT staff so we can take action immediately. Additionally, Entra ID P2 includes token theft protection, which can help mitigate these types of attacks in the future.