This article details what should be a serious concern for anyone using Outlook Web Access and relying on multi-factor authentication as a security measure.  Given the ease of compromise, admins should reconsider their comfort level with this type of authentication deployment.

https://threatpost.com/outlook-web-access-two-factor-authentication-bypass-exists/121777/