I suppose it would be interesting to think of this attack in a scenario.
Say you worked for a company that didn't require 2FA yet. Then there is a hack, and your co-worker's account is stolen. IT investigates, clears it up, and pushes out a policy that enables 2FA. "Ok everyone, all clear! No need to worry anymore."
Say you worked for a company that didn't require 2FA yet. Then there is a hack, and your co-worker's account is stolen. IT investigates, clears it up, and pushes out a policy that enables 2FA. "Ok everyone, all clear! No need to worry anymore."
A while later, your account is hijacked.