This article <https://arstechnica.com/information-technology/2022/07/microsoft-details-phishing-campaign-that-can-hijack-mfa-protected-accounts/> points out that using a second authentication factor cannot really guard against “man-in-the-middle” attacks. If the fake site is passing on your credentials to carry out a logon to the real site, then it can also pass on any extra authentication factors that are coming through alternative channels: One of the few visually suspicious elements in the scam is the domain name used in the proxy site landing page. Still, given the opaqueness of most organization-specific login pages, even the sketchy domain name might not be a dead giveaway. Too often, it seems, this use of obscure login URLs neuters the effectiveness of the only real clue that the user might have to a phishing attack. My own insurance company is doing this sort of thing. They send me a renewal reminder e-mail, and all the links in it go through some online Adobe-run service for tracking the clicks. (Why can it not go through their own domain name, at least?) I told them about it last year and again this year: this year I finally got a response asking me to send them the offending message, which I did.