There are many scenarios where a mailbox and its access can become "untrusted". Preventative solutions abound, but this article will focus on the following worst case scenarios for the quickest way to shut down access with the least amount of impact and
Disabling a mailbox user's Active Directory account is not enough. For example, here's some of the considerations when dealing with an untrusted mailbox:
1. Disable the mailbox to prevent re-access of the mailbox by the user (example of specific steps)
2. Set a Send Prohibit Quota to quickly prevent sending off any messages.
example: Set-Mailbox alias -IssueWarningQuota 0 -ProhibitSendQuota 0
3. Move the mailbox to terminate all active logons to the mailbox, including the user's current logon
4. Office 365 mailboxes or other hosted/cloud solutions may not allow moving the mailbox quickly, so disabling protocols at the CASMailbox level will accomplish a similar solution.
EAS devices sync after account disable or password change
Removed Mobile Device Still Has Access To Exchange Mailbox via Exchange ActiveSync
Some great articles that help fill in the pieces;
What about disabling EAS for the mailbox (Mailbox Features tab)...would that cut-off access via ActiveSync device immediately or would the token cache still apply?
Disabling EAS for the mailbox helps but the token cache still applies. Only disabling the protocol [in this case EAS] and then moving the mailbox OR recycling the MSExchangeSyncAppPool on all Internet facing CAS would achieve the immediate results.