How do you get into only 3% of accounts? Then no admin account is ‘compromised’, because then they would have been in all accounts. If individual user accounts have been stolen, MFA is not enabled for those accounts.
However, if I go after the source, it says:
At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted.
I think that translates to something other than:
The attackers had access to about three percent of all inboxes.
Potentially opened mailboxes would be 3%. Do I interpret that correctly that people only sought access to 3% of the mailboxes, but that in theory they had access to everything. So AAD / EXO still had admin rights on that O365 environment?
–