Campaign sent out in three days at least 120 malicious emails from a hacked Mailgun account used by Chipotle for email marketing purposes [mail.chipotle.com]. Most of the messages directed users to credential-harvesting sites impersonating services from a financial business and Microsoft. Email security company Inky says in a blog post today that they caught 105 such emails in this three-day campaign. The emails appeared to come from Microsoft 365 Message center and alerted the recipient of emails that could not be delivered due to low email storage in the cloud.
Source: https://www.bleepingcomputer.com/news/security/chipotle-s-marketing-account-hacked-to-send-phishing-emails/