Chinese threat actors remained undetected in Microsoft 365 tenants for 18 months, exploiting a Managed Service Provider as a base for supply chain attack scenarios.