Here is a phishing email seen that links to nvc.microsoft.com and when clicked redirects to a page hosted on customervoice.microsoft.com. These are not spoofing the Microsoft domain. They are actually hosted on servers reached through Microsoft domains.
Just had one of our clients get this (except indicating that ‘DUO MFA’ had blocked the file and they needed to click through to the MCV.MICROSOFT.COM address.