@GossiTheDog @adamshostack A lot of fascinating implications here. A successful password spray attack suggests no 2FA and either reused or weak passwords. Access to email accounts belonging to “senior leadership… cybersecurity, and legal" teams using just the permissions of a "test tenant account” suggests that someone gave that test account amazing privileges. Why? Why wasn't it removed when the test was over? I also note that it took Microsoft about seven weeks to detect the attack.