Quite some time since my last post, but I had some pretty nice case recently, and because MS support seems not really interested to make deeper investigation by themselves, I wanted to put this piece of information somewhere, so others can also be aware about the potential security flaw in the tool called "Spear Phishing (Credentials Harvest) Account Breach" in the Attack simulator set of tools. You can find these tools on the Office 365 Security & Compliance portal in Threat management section.
First of all, what this tool is and what it does? In a very short, this tool allows you to send a specially crafted message to your users , which contains links to a quasi-malicious page disguising the genuine Office 365 login page. Why "quasi-"? Because in fact these pages are on the MS controlled domains, however not really used for real MS services. Example links from the tool: http://portal.docdelivaryapp.com, http://portal.hardwarecheck.net or http://portal.docstoreinternal.net.
