Multi-factor authentication is no panacea
Phishing is highly effective against most organisations, not just universities. Email tools are notoriously difficult to operate safely, and MFA is not a panacea—if an attacker can lure a user to a fake login page under their control, they can MITM most MFA options and still gain access to the user's accounts.
Hardware tokens such as Yubikeys can be proof against such things, but procuring tens of thousands of these is hideously expensive, and has historically presented compatibility problems with common end-user devices.