@GossiTheDog : it's not the lack of MFA that is the problem.
Problem 1) is that a SPOF (*) is permitted access to data of millions (either directly or indirectly). This risk includes compromise of client devices.
2) Weak MFA (+) does not prevent these attacks, because the SPOF may be phished into entering their credentials in a third party page that imitates the intended Citrix Netscaler.
Please do not promote a flawed fix for bad passwords (2019: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124).
(*) Single Point Of Failure
(+) SMS, Voice, TOTP, Number Matchting, Location