Below are a series of links to the main Microsoft Defender for Office 365 blog. Shortcuts added here as this is one of my shared bookmarks.
Note that some links have KQL queries and IOCs related to that specific attack.
From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
Note that compromised end user connected to EXO as part of this attack.
See also the documentation to protect against conscent phishing.
Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign