Why am I seeing this note?
Typically, when a Cloned Website Canarytoken is triggered, the alert will include the name of the site where the Javascript code snippet was triggered ("Cloned Site" in the extra details section). It's often the case that it's name is similar to the legitimate site to trick victims.
However, in some cases, the data in that field can look a bit different.
What's Data URI phishing?
As opposed to a phishing web page being hosted by a web server that is either compromised or owned by an attacker, using a data URI scheme allows an attacker to present a web page to victims with all of its content contained in its own URI (link). By clicking on this link, victims are presented with a fake webpage (typically a login page) whose contents are loaded from the data in that URI.
So what does this mean?
The alert is very likely a legitimate phishing attempt, but via a data URI link and should not be ignored. Unlike with a regular phishing attempt, where the domain of the cloned site domain can be taken down, in this case it'd be helpful to find out where the users are being served the data URI link from and to take that down.