The first step to protect yourself is to not put your personal email in your question :) . I have removed it from your question.
Anyone can be spoofed and most likely that is what happened versus actually having access to your account. If your book keeping service fell for this, thats on them, not you.
Now, having said that, you should absolutely change your password as soon as possible.
Also, enable your accounst for MFA ( all your users should be required to use MFA)
IF you really feel your email has been compromised, open a ticket with 365 and ask them to assist you