The first step of the hackers’ plan involved acquiring corporate usernames and passwords from multiple companies that may be tied to multiple cloud services (not necessarily Office 365).
The attackers tried different email variations derived from the employee name to try to gain access to potentially sensitive information. For example, someone named Elizabeth Miller (name changed) at Company X faced a number of login attempts into her account that used addresses such as email@example.com, firstname.lastname@example.org, or email@example.com.
In fact, one account fell victim to as many as 17 username variations from 14 IPs in just 4 seconds.
Although the passwords the attackers used could not be viewed in clear text, it can be inferred that they used the same password for each user for every username variation because each email was only used once to attempt the unauthorized login.