It’s technically correct but misleading: the products are not inherently flawed but their lack of MFA means the product wasn’t used in a secure configuration. I hope that this is held against them by regulators or in court because they’ve known and even advocated for FIDO-2/WebAuthn for years and there’s no excuse for not requiring them by policy.

They mention it was a password spray guess.

My point is that if one can guess the password on a random test box and through that gain access to critical internal systems, you have lost the right to call your system "not vulnerable".

I'm guessing they don't know what a password spray is?

What is it? Just spam a form with passwords?

Well, your "legacy non production test tenant" can be opened by just guessing passwords, and it allows access to "very much in use production non-test" tenants, then you could say MS has a vulnerability. It may not be a buffer overflow, but it is a vulnerability nonetheless.

Yes, and I think most people would consider it a vulnerability if an authentication system doesn't rate-limit or otherwise slow/stop "password spray" attacks.

You can rate limit individual users but password spray attacks use a large number of accounts to remain undetected in a authentication system used by an even more users.

{rolls eyes}

This is precisely the kind of 1990's level basic heuristic that this company cites as part of their Sentinel security system.

Trying to excuse a breach by 'the attacker tried a few passwords against lots of different accounts' is not compelling.

We are getting 10000x times the number of wrong passwords than average, I'm sure it's nothing to worry about.

It was a legacy test system connected to a production system so it doesn't count. Obviously. /s