I’ve always found a good hack fascinating (remember reading 2600?) but while it can be scary, understanding how a good hack works can help you avoid being a victim. This interesting hack against Office 365 accounts uses a few new tricks. One is to embed malicious links in attachments (the attachment itself is safe and the email security tool only scans the embedded URLs), the next is to use the attachment to launch a man-in-the-middle attack to capture a session token when a user goes to the legit Microsoft site to be authenticated. See in the case of MFA, the username and password by themselves aren’t useful without the additional factor, but once you have a token they can access the account until it expires (default 90 days). Anyways, evidently these tactics and more have been in use for years. It’s worth your time to read the whole thing at Bleeping Computer.
TLDR: don’t open attachments or click on links you aren’t expecting, better to call your contact and ask them if they actually meant to send it to you.