Hi Barbara,
I see that bonaventure.edu publishes a strict SPF record stating that email is only expected to be sent From: their domain using the
Office 365 academic service. That's great!
If you are interested in protecting your account from unauthorized access, ask your university email support department if multi-factor authentication can be enabled for your account.
The multi-factor authentication would require that you type in your password AND something else such as a code sent sent by call/text to your phone, or use an app such as Google Authenticator when logging in
Do you know how your account was compromised? Any chance you clicked a link in a
phishing email claiming to be from support resulting in you typing your password into a 3rd party web site?
It's also possible it's not your account, but an account of someone who has your address and some of the same contacts in their address book that was compromised.
If the spam is being sent using your From: address but not the Office 365 servers many other
email service providers should be marking it as spam.