And I have access to two O365 networks with tons of addresses. Perhaps I should do an "anti-phishing" campaign where I mass-mail everyone about this issue.
That is, because
1- Both have 2 Factor Authentication disables by their incompetent sysadmins
2- I already managed to gain admin rights with a pico phishing campaign just to see how bad things could get (admin gave me admin password and I just had to ask, that was delightful)
Almost every week we hear about compromised networks, compromised data and all, and we hear about encryption, better security... but we still haven't patched the most important security flaw that plagues electronic systems since their conception:
Digital illiteracy and plain stupidity.
Any random guy can get anything on the internet, provided he uses the right words. But still, people who have critical data and important accounts are still not taught how to secure their systems. In schools, college and university, some curriculums have classes to teach you how to use O365. Part-time "technological actualization" classes teach you how to use Windows 10 and Office 2016 (or whatever Linux and LibreOffice your enterprise uses).
But never you are taught how to secure your stuff. Never you are taught about attacks, phishing, viruses... And some, if not most, office workers hate their job so much they won't waste time asking someone about computer security