I saw one of these recently, too, with Microsoft. Someone opened a 365 tenant and set the name of the tenant to “Thank you for your purchase of Microsoft Defender for $509.99. If you have any questions, please call [attacker controlled number]”
Then they set their exchange online to forward messages to the intended victim, and requested a password reset email. So the victim ended up receiving an email that came from microsoftonline.com that said “Your password has been successfully changed. Thank you, [scam text]”
I saw one of these recently, too, with Microsoft. Someone opened a 365 tenant and set the name of the tenant to “Thank you for your purchase of Microsoft Defender for $509.99. If you have any questions, please call [attacker controlled number]”
Then they set their exchange online to forward messages to the intended victim, and requested a password reset email. So the victim ended up receiving an email that came from microsoftonline.com that said “Your password has been successfully changed. Thank you, [scam text]”