The incident illustrates the importance of multi-factor authentication and the insecure nature of browser-based password managers.
Researchers with Mandiant said that since at least April 14, the threat group behind the attack has used stolen credentials to access over 100 customer tenants. Some of the credentials were stolen via infostealer malware as early as 2020.
Microsoft is adding number matching and geographic and app context to Authenticator to defend against MFA fatigue attacks.
Government officials cited progress a year after Biden's executive order, but stressed that "there's more work to do."
A trio of problems caused by a software update in some of Microsoft's data centers led to a service outage for customers of the Microsoft Entra ID MFA service last week.