This is a classic "account compromise that won't die" scenario. Password resets and MFA rotation don't kill every persistence vector. The likely culprits, in order of probability:
A malicious app the victim consented to (or that was granted via a phishing link) has its own access token that's independent of the password. Password changes, MFA resets, and force-logout do not revoke OAuth app tokens on consumer Microsoft accounts. The app can read mail and create/recreate rules via the Graph/EWS API.
- Check: https://account.live.com/consent/Manage
- Revoke every app you don't recognize