Here are my thoughts on this based on the incident described, it appears attacker employed a sophisticated multi-step approach to compromise the your user's system and Office 365 account. The attack mostly likely began with a phishing email containing a malicious link(url). Once clicked, this link probably take to a page that used WebRTC and STUN to obtain the user's public IP address and port information, bypassing NAT protection.

The attacker then likely used this information to scan the internal network, exploit vulnerabilities in public-facing applications, or take advantage of misconfigurations in the NAT/firewall to gain initial access. Once inside the network, the attacker probably stole the user's Office 365 credentials, either through a fake login page or by exploiting a vulnerability in the user's system.

Once With these stolen credentials, the attacker accessed the user's Office 365 account and placed a VBS script in the public folder. They also set up a scheduled task to run this script, establishing persistence and the ability to send phishing emails to other users in the company.

Be mindfull that while obtaining someone's public IP address and port information doesn't automatically allow for system exploitation (also know as reconnaissance), it can serve as a starting point for more targeted attacks, especially if there are vulnerabilities in the network configuration/public-facing services.

To mitigate such risks in the future, Consider implementing multi-factor authentication, regular system updates (vulnerability test/Pentest), strong network segmentation (with Layer 7 IPS), employee security training, advanced email filtering, and logging monitoring for suspicious activities are all crucial steps. Security is an ongoing process that requires continuous assessment and improvement to stay ahead of evolving threats.