Any person with a mailbox in a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment using just a few lines of JavaScript

Office 365 Vulnerability Allowed Unauthorized Administrator Access.

It’s been fixed now 🙂