Note that the attacker needs to already have access to your Microsoft 365 account to do any of this. Fuck copilot and all, but this isn’t something they couldn’t achieve before.