I've noticed that Microsoft themselves aren't helping this right now. M365 seems to default to using random-tenant-guid.onmicrosoft.com for a lot of these transactional emails like password changes even though the official account.microsoft.com is fully multi-tenant aware and most Microsoft guidance tells you to always go directly to account.microsoft.com. These transactional email mistakes seem like another case of Microsoft accidentally exposing problems in their org chart to external customers. I imagine it has something to do with the wild rewrites from old Azure AD to new "exciting brand" Entra ID and other such shenanigans combined with Microsoft's willingness to bend over backwards to bad IT administrators and letting them set bad defaults (such as "just us the .onmicrosoft.com GUID instead of a real domain"), because companies love to pay them good money for the "control" to do stupid things in Group Policies and corporate configuration.

Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.