I see that the site is now suspended by hostmonster. Assuming he did not provide credentials knowingly or unknowingly, here are a few possiblities, if the phishing email was linked to the account compromised at all.
1. Clipboard content stolen
The malicious page could have stolen clipboard data.
2. Malicious scripts
The malicious link redirects user to an edu page, but in between the redirection could be many other redirected pages. I've seen a few good examples going through different server-side php pages (apart from client side code from above example) and it's transparent to the naked eye. Scripts could send out emails without email client dialog boxes.
Malware could have been downloaded as well, that may have compromised the machine to be an open relay server.
3. Malicious plugin/extension installed
In basic authentication, credentials are sent via HTTP POST, which is accessible via browser developer tools. A malicious plugin can exploit that.
With that said, it is useful to understand how the spam emails were sent out, be it through web mail (so we know it's about web security) or client-based (so we know it's host and network security related). Each track would have more possibilities of their own.
In terms of tools that can help you, why don't you check on outbound data to the malicious host, if you have the logs - proxy logs, netflow, packet capture etc.
Those would paint a good picture on what was ex-filtrated.
