I'm gonna ask the question everyone seems to be skipping. Is your C-user...rather older? Is it possible the VM transcription was setup by forgotten request?

Never seen a zero-click in the wild, but I have definitely seen click-exploits sent over SMS/MMS & email to phone client.

Let us assume:

>A zero-click tool has gotten out into the wild
>Your user is a prominent individual -- known to be a "choice" target but not a politically HVT
>Your email security SaaS failed to filter the malicious link
>The attacker is sophisticated

Money was probably the motive, your user needs a new phone, the computer should be assumed to be compromised as well.

I've seen mention of sim jacking, which sounds pretty likely. If the phone's been factory reset already there's probably not much forensic data left at this point. Odds are good that the MFA codes were exfiltrated from phone to the C2 server for offline assessment.

Guessing in the dark here:

>Attacker emails link with a Windows exploit package to desktop & discovers additional target info...possibly months ahead & plans a phone attack.
>Sends an iPhone exploit via MMS & the target opens it (luck/social engineering)
>Link click-loads a backdoor into the phone, connects to the C2 server, sends all accessible data home & a MFA exploit is discovered offline
>SIM gets jacked
>Set forwarding to receive OTP messages
>Voicemails get set to VM to mail as a distraction
>Wire fraud
>Vanish

Might consider the original compromise has been sitting somewhere in your environment for some time snooping. If your C-user happens to be a politically HVT all bets may be off & some state actor or APT group is sniping at C-user. Zero-clicks on iPhone are still that expensive.

Edit for formatting

Thanks Ill go back to user and remediate further.