[londons_explore]

I believe the Twitter attack involved tricking a user into installing proxy software on their machine (to be in twitter's internal network).

If that is the case, that same proxy software could proxy the security key requests too.

[tdhoot]

That can be prevented by restricting the software that can be installed on employee machines.

[c00ls0sa]

WFH has caused many companies to ease up on restrictions involving location, ip, and sometimes a broader need for software. Granted, nobody should be this easy to bamboozle, but I get why now more than ever this may have been an issue.

[Thorrez]

If there's malware involved I don't consider that phishing. Although some would debate that.