Microsoft confirmed that two-factor authentication (2fa) won’t necessarily protect against attackers exploiting the new Exchange flaws, particularly if an account has already been compromised.
“If auth is successful (2FA or not) then CVE-2021-42321 could be exploitable,” says Microsoft program manager Nino Bilic.