Attackers are using automated methods to generate attack email addresses that end in the onmicrosoft.com domain to try and bypass any email filters that may have onmicrosoft.com Allow Listed.
The emails follow a similar format:
Should the user click on the "Sign In" buttons, they'll get directed to this spoofed login page:
(Note some of the typos on the page.)
Because the attackers can create an address that has "onmicrosoft.com" in it, it'll sail past many security solutions, including, in this case, ATP.