What (if anything) did we learn from Microsoft's latest corporate email breach?

What can we learn from the latest news that Russian-sponsored hackers stole corporate Microsoft emails by password-spraying a legacy non-production test tenant account? Unsure, other than articles are saying MFA wasn't enabled.

These best practices work and would have stopped the cyberattack at bullet one or two.

* Strong Password Policies: Ensure every account has a complicated, one-of-a-kind password. Encourage the usage of password managers and change passwords on a regular basis.
* Require multi-factor authentication (MFA) and enable it …

account articles best practices breach can corporate corporate email cyberattack cybersecurity email emails hackers latest latest news learn legacy mfa microsoft non password practices production russian sponsored spraying test work