The software industry is built on subscriptions. You pay for a year, or more, and then when the time comes, you can choose to renew (or not).
You're likely on the receiving end of tons of these emails, both at work and in your personal life. That makes it a worthwhile venture for hackers to try and spoof.
In this attack, missed by ATP, the hackers spoof a message saying that the end-users Office account has expired. Here's what it looks like:
The "service portal" is really a credential harvesting website:
The phishing URL has been detected as malware by multiple security engines:
