User was hacked and sent out malware via their company email however unable to find out how?

I am investigating a user email comprise we have 365 and an e5 subscription, i have found that the user who was hacked sent out emails with links to wetransfer to external users and the links had downloads to a zipped folder which contained a vbs script, having looked at how he got hacked in the first place, i have found he received a similar email and downloaded malware and was hacked however this was 1 month before he sent …

cybersecurity downloads email emails external find folder hacked links malware script vbs zipped