Microsoft Enterprise accounts have attacked did not use multi-factor authentication (MFA). Unfortunately, this was the main factor of hacking, the second subordinate, but also very important turned out to be poor hygiene of people’s passwords, especially their preference for straightforward passwords and the use of passwords on many accounts, both corporate and private. According to security director Alex Weinert, only 11 percent of accounts have MFA enabled.

https://www.welivesecurity.com/2020/03/09/microsoft-99-percent-hacked-accounts-lacked-mfa/