This phishing method took advantage of a vulnerability in Office 365 to bypass all of Microsoft's security. All Office 365 users were vulnerable, with or without ATP.

As of January 9th, this vulnerability has been fixed.