Below are a series of links to the main Microsoft Defender for Office 365 blog. Shortcuts added here as this is one of my shared bookmarks.
Note that some links have KQL queries and IOCs related to that specific attack.
Note that compromised end user connected to EXO as part of this attack.
Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign