Agari researchers entered unique credentials belonging to fake personas into phishing sites posing as widely used enterprise applications. Phishing sites impersonated Microsoft OneDrive, Office 365, SharePoint, Adobe Document Cloud, or just (generically) Microsoft. Researchers found that 23% of all accounts were accessed almost immediately (likely in an automated manner, to confirm that the credentials work) 50% of the accounts were. accessed manually withing 12 hours after compromise, and 91% were accessed manually within the first week. Some of the attackers pivot from email to Office 365 applications, the researchers noted.
Source: https://www.helpnetsecurity.com/2021/06/09/compromised-accounts/