https://www.theregister.co.uk/2018/07/13/2fa_o365_bypass_attacks/

Hackers can potentially obtain access to Microsoft Office 365-hosted emails and calendars even if multi-factor-authentication is thought to be in place, we were warned this week.

Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems, according to email security biz Proofpoint.