A zero-day vulnerability known as baseStriker allows miscreants to send malicious emails that bypass security systems on Office 365 accounts. An attacker can simply send out a rich-text-formatted email with the following structure and Office 365 won’t be able to scan and detect any malware hosted on the URLs. Office365 security systems like Advanced Threat Protection (ATP) and Safelinks do not merge the base URL and the relative path together before they scan each part separately. Microsoft is scheduled to release the Patch Tuesday security updates for the month of May 2018, albeit is unclear if the company had enough time to address the vulnerability.
Source: https://www.bleepingcomputer.com/news/security/office-365-zero-day-used-in-real-world-phishing-campaigns/