Amazing they don't have 2FA on VPN, even if you don't go for yubikey/phone app you could at least require a cert.

> As far as we can tell [...] the phish spam attacker used the main password they'd just stolen to register the person for our VPN and obtain a VPN password...

Requiring admin approval for VPN accounts would have prevented the phisher from getting VPN access to begin with.