Outlook web app hijack

We've all seen the email (probably).
"Your document is ready, click below"
This takes you to an official looking Microsoft login page.
Many people instinctively put in their office 365 account username (email) and password.
Login fails obviously, because it's not a real page.
They call IT and ask for a password reset or complain about all the passwords they have to remember, how they're sick of having to login all the time, etc.
Anyway, now that page has their credentials.
In my org., the hijacker would log into the webmail as the user and start sending out emails.
Some emails were trying to get personal/financial info, others were spreading the login fake page.
Annoying, a password reset, initiated by me, the administrator, fixed it. If you have a system that emails them a password reset link, this could completely lock them out from getting their email for a period of time while the hijacker has complete control. Not fun.

Some other things that the hijacker was doing. On one user, they adjusted the reply address to never show up in the hijacked accounts email. They added a letter to the name, that email doesn't exist, and the sender gets a bounce back. They did this so the hijacked account wouldn't know about their account spreading this 'virus', even though its not a virus at all, just social engineering.

Later, it was found that a rule was being created, forwarding certain emails to the RSS folder, because who uses that folder? This would allow the hijacker the ability to monitor an inbox and communicate with people that could potentially give out financial or personal information.

Pretty sneaky.

Some fixes:
Limit who can access OWA.
Those that can, make them 2FA.

I haven't looked into it too much, but O365 may be able to block access by region. If they don't have that option, it would definitely help in these situations. The IP access the email was outside the US.