I don't even know where to start, but I'll give it a try:
I'm being a little sarcastic, but did you follow the incident response plan? If there is no incident response plan, I think now is the time to create one.
That being said, you're saying he asked to change the bank account number to his bank account number. You have this account number I guess right? That's valuable information.
You're also saying he managed to transfer some money to this account. I think you need to create a police report as well for theft.
"When I checked somewhere, I heard about a malware which can work on the outlook and change the rules on the exchange as long as user is running outlook."
I'm not sure what you mean by that, but malware can do anything a computer do, so I'm not surprised it changed anything.
About the malware ... What I see often is that admins are cleaning the malware and say "Pfew, that almost went wrong". Never delete anything in an incident response. If there was malware, you deleted all the evidence and you have no idea what the malware did. Like I said, if you have an incident like this I think it's better to call the incident response team and let them handle it. This way a chain of custody can be created. When deleting the malware, there's no way you can check all other machines as well. Sure, you could scan them, but in the registry there could be pointers to an executable which you could have blocked or scan all other machines to prevent the spread of the malware if there is any.
"Not sure if his entire PST is hacked?"
I am not sure how you can "hack" a PST file. A PST file is an offline "database" with email. If he managed to get malware on this machine, I'm pretty sure he can do anything he/she liked.
Ok, MFA should be enabled on ALL mailboxes. Not just this one. People should be trained properly with security awareness programs so the changes the get "hacked" is lower. Are you using O365 Score? Security and Compliance? There very helpful.
Don't rely on virus-scanners. Hash-based doesn't make sense these days and heuristics are getting much better, but doesn't guarantee any machine from being infected.
Change the user's email address. Once you have a compromised account that was used to successfully steal financials, it will be targeted for the rest of that user's email life. If this attacker gets tired of trying they can possibly sell the info and then a new batch of attacker will try.