Good article but not fully comprehensive. You omitted several types of attack.
- The educated guess attack. We see password guessing attacks at low frequency (trying to fly below the radar). The risk is that the attacker has obtained samples of passwords the user had used on other Internet sites and that the user has a pattern for generating their passwords.
- The offline attack. If a user has protected a certificate pfx or an SSH keyfile and that file is stolen then the attacker can attempt to crack that password at their leisure.
- Consultants re-using passwords for multiple customers. We have seen attackers logon to VMs that were created by MS consultants with only a few incorrect passwords before success. We suspect that either those passwords were found in some document/list (or perhaps hardcoded in a script on some compromised box) or the attackers had cracked them from a compromised SAM database or a QA/dev network. They were not accounts used interactively.
MFA is not a panacea. SMS and mobile calls can often be hijacked or copied using SS7 hacks. The Authenticator app Verification Code is more secure but not every user has a smartphone. We have seen an increase of attacks bypassing MFA, the most common is an attacker stealing the credentials (e.g. by phishing) and then attempting to sign-in at the same time as the legitimate user. As there is no correlation code or sequence number on the SMS or call-back MFA calls the users may grant the attacker access - even if they get two calls (one from their own sign-in attempt and one for the attacker) they don't regard that as suspicious because it happens often (especially in countries with poor cell coverage).
There are also ways to get past CA, it raises the bar but is not impregnable.
We have disabled basic auth on the tenant and blocked legacy auth (by CA policy, don't forget to un-check the menu box so you apply it to ActiveSync on older devices).