Malicious email in Outlook Sent folder, could it be a clickjacking exploit?

Recently I discovered there are malicious emails (with HTM attachment) in the Sent folder of an @hotmail account to some unknown recipients in (Outlook app in iPad). I immediately proceed to change the password and enabled 2FA to block unauthorized access.

It was found that more than 100 of emails sent within a day and Chrome flagged the HTML attachment contains virus when attempt to download it for inspection. (no harm right if I open it with Notepad?)

The account was definitely abused but I’ve no idea how the password was leaked and recent login didn’t show anything useful. Otherwise, could it be some exploits (e.g. clickjacking) where clicking on random ads which will trigger mass email forwarding?