Re: Wow. Click bait.
Our site allows webmail (OWA) and there's no 2FA with that. For anyone who doesn't know, with OWA you log in with domain name, Windows user name, and password. The Windows user name is easily guessable from the e-mail address. The only thing that's holding the hordes out is the domain name itself which is inevitably going to leak out if it hasn't already and isn't too difficult to guess.
Our phishing advice is not to trust external domains. If that advice were followed, nobody could do their work because we use about ten of them. Users use their corporate e-mail address or Windows user name to log into these domains, and they'll probably end up using their Windows password as the password for everything because some external domains use Windows SSO which does require the Windows password, and some don't.
Unless the company gives everyone SecurID or similar or gives everyone a corporate mobile with some 2FA app on it, this won't get fixed. And that's not going to happen because it costs too much. Certainly MS' alleged "world class Identity and Access Management solution" doesn't address these problems.
Biting the hand that feeds IT
