I’ve blown this up on LinkedIn now as it’s clear from talking to lots of impacted orgs they’ve found out about their breach from me.
The emails in the MS notification flow don’t even pass SPF, DKIM. It’s great that MS are being transparent — but they need to get down how to notify orgs.