The attack abused misconfigured conditional access policies to bypass multi-factor authentication protections.