My favourite part of this saga is aside from the MS breach notification emails not having valid DKIM signing nor SPF, the emails are getting flagged as phishing and submitted to sandboxes.
Each tenant has a unique URL, and I’m tracking over 500 so far - so there’s at least 500 victim orgs.