Oh boy, gotta love this Optum/United Health compromise. Our health provider broker got compromised.

The way the attack went was:

1) Send an email to all known receipients, sharing a file through Sharepoint
2) File being shared via Sharepoint is a PDF document with one page, with a "OPEN PDF" link

3) URL lead to a page to sign in and setup password and sign into exchange. (VirusTotal Link: https://www.virustotal.com/gui/url/ddfeb700c27f32f8e69d39eed0179c26cde71ca31936b57d906fe8fa2845916d?nocache=1)

Had to learn some quick O365 search queries and content search to pull it out of our tenant. Caught it only as 1 user clicked.