This has just happened to SiL and his business.
The scam is, when you send an invoice to a client, the scammer then sends a follow up email saying "our bank account details have changed please pay a.n.other" You think this could not happen to you? Well it might not, but here are the salient details.
Their email account was hacked, exactly how is open to question, from an IP address in Nigeria. For several weeks they monitored the account, observing the flow, deleting phishing mails to ward off competition. They used hotmail as their email account, and several people had access. I could see the access pattern in the logs. They waited until they sent out a large invoice and struck. Despite the account looking fishy in the extreme (the account name was a random individual, not a company) they paid it, it appears there was an autorespond set up to "confirm" the account details when the customer queried. Of course, the actual scam is against the customer who hasn't paid, but things aren't always that simple.
Anyhoo. 2fa is set up now. I can't find a control in Microsoft to invalidate machines that are logged in, but the damage is done.
Simple password hygiene would have avoided that, as would regular security checkups on account activity. If you are running a small business, ask yoiurself what controls you have in place to stop that happening.