First, I suggest taking immediate action to secure their Azure AD account and prevent further unauthorized access. Please follow the steps outlined in the Azure documentation on what to do if your account has been compromised if you haven't already done so.
Once secured, proceed to remove the unauthorized subscription. You can do this by following the steps outlined in how to cancel an Azure subscription. Note your role should be a Billing Account owner in order to complete this action.
If you're still unable to remove the subscription, please create an Azure Billing support request to work directly with a support engineer to quickly resolve your issue.