For those suggesting that once compromised, MFA could just be disabled, the point was to avoid notice. Even among typical users, someone will notice if they aren’t asked for the MFA when they logon to email, and among my users, they will call and complain, worried they had broken something.
So they need an attack that doesn’t involve a noticeable change in settings.
