This is good they have this feature.
If the notification e-mail can include an authentication link that won’t complete the deletion of old e-mail unless link is clicked, that may help unless their e-mail accounts are also compromised.
Suspending account seems like a good first step, and sending manual e-mail to old address to notify user and make sure you are talking to a legitimate account holder not spammer before releasing suspension of account (after removing new imposter email).
I haven’t had to deal with this situation myself, hope there will be some more helpful advice posted. If their email client has been compromised there may be nothing you can do until/if that is resolved unless you have any other way to communicate with account holders. You could make public posts on your site warning members about what is happening.