Can someone cleverer than me...
Please explain how MFA would stop this. They're capturing session cookies/tokens through a proxy/relay. Even if MFA is enabled the victim could unwittingly use MFA to log in to the account and the MITM relay/proxy would still capture the cookie/token?