> As far as we can tell [...] the phish spam attacker used the main password they'd just stolen to register the person for our VPN and obtain a VPN password...

Requiring admin approval for VPN accounts would have prevented the phisher from getting VPN access to begin with.