I'm not sure whether this comment pertains to the Microsoft 365 piece. If it does, I'll highlight the probable attack vectors for context. Microsoft 365 encompasses the online subscription portal that control the assignment of licenses and technology to end users. Companies can use Azure Active Directory to control 2-factor authentication. (i.e. you download the Microsoft Authenticator App to your phone, and every time you log into your PC / connect to the corporate VPN you have to authenticate using your phone).

Companies can also create special 'service' accounts that don't require 2FA and can automatically connect to the M365 portal to collect data. These service accounts use long encoded strings of data for authentication and are application specific (so if the request to connect is not coming from a trusted source, it wont allow the connection, even if the authentication key is right). This is tough to break.

The easiest vector is that an end user shared a password (perhaps they clicked on a phishing link sent to their work email address) and that user account didn't have 2-factor authentication enabled. If this is what happened, it would be very worrying that the business has not provisioned investment in 2fa.

In terms of the service agreement piece, Microsoft are right to make this point. Customers who invest in SaaS must accept this risk. Customers who instead build their own applications in hyperscaler platforms such as Azure, need to factor security and availability into their design thinking as they develop their applications. I.E. data and services should run in parallel in two or more geographies, so if one goes down, things fail over to the other sites.

It's on Dropsuite to do the right things here.

Nicely highlighted @Valueinvestor0909

It's such a core part of understanding the value prop Dropsuite offers clients. Far more than a "nice to have" for many. CEO Charif Elansari made the point when we spoke with him last year. I'll see if he's available for an update.