We had an incident earlier where a user of our was sending spam internally and externally. Once we found out that the account was comprimised we disabled the user in our AD, changed the users password and forced an AD Connect Sync to O365. For some reason the users account was still able to send emails.
I made a rule in O365 Exchange to block the user from sending emails which seemed to work, but when i look at the logs, some emails were still able to go through. I am not sure why O365 didn't catch this and put the user in the restricted users area in threat remediation. O365 did this once before but it doesn't look like you can do it manually.
In the past, changing the password and disabling the user has always worked. I'm not sure what else we could have done to stop the users account from sending emails. I even revoked MFA sessions and required the user to reregister MFA as well as revoking current sessions.
Did I miss anything?