The Truth About The Deloitte Security Breach
https://blog.safe-t.com/truth-about-deloitte-security-breach
"A single administrator account with access to the Azure implementation was guarded only by a username and password, without any two-factor-authentication(2FA). Attackers stole this administrator's credentials and used them to leverage access to the entire email system."
https://blog.safe-t.com/truth-about-deloitte-security-breach