I'll take their word for it. Won't you?
"Indeed Redmond itself admitted: "If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks.""
I guess I don't understand how a MFA challenge/response test framework works that doesn't allow some automation of the MFA. I mean, if the bot is performing the test, the bot can answer the second/third/etc. request. CAPTCHA?