Credential harvesting is one of the most popular attack forms out there. It's simple. Get a user to click on a link. At the link, get them to enter their information. Boom-stolen credentials.
The below attack is a fairly straightforward credential harvesting attack. What's interesting is that while it takes the end-user to a Microsoft login page, the attack itself is missed by Google.
Here's what it looks like:
Should the user click on the HTML file, they'll get directed to this spoofed Microsoft login page:
A number of checks failed when analyzing this email: