I ran into this a couple of times over the last six months, and this is what I found; I'm sure it could be different for others, I thought I would share my experiences in case it helps anyone.
A malicious email was opened, and a link is clicked which prompts the user to enter O365 credentials to retrieve a document.
After the credentials are provided, the document us unable to be downloaded/opened (not sure which, and I dont have access to my sandbox right now to check); At that point either a script is run or a person manually creates a rule on the O365 portal to deliver replies to the RSS Feeds folder (the more recent version of this was much more sloppy and had ALL incoming mail delivering to RSS). The rule doesnt appear in the local copy of Outlook... portal only. The script also seems to prevent Sent copies from being created.
In both cases, we never found any sort of payload other than the possibility of the script being run, so this appears to be an effort to harvest email addresses. I'd imagine there are other iterations out there, but the two times Ive seen this over the past six months both, were basically this.
I hope that helps someone!