[_8j50]

I don't disagree that yubikeys are effective but even sms 2fa could have been effective! This is missing the forest for the trees. Even then, what if it wasn't credential harvesting but a download for an infostealer? Then even yubikeys are ineffective due to cookie theft.

You have many many best practices, have a good email protection service/sandbox-detonation, MFA, detection+monitoring after the fact, CAP so threat actors can't just login from any random IP or device, threat hunting, user training,etc... these are all things a good security program should be doing to create the most hostile environment for a threat actor.

People had the same frustrating MFA argument on HN with Uber when it was hacked but long after the news story hype died down it was revealed that the TA got a contractors' creds via infostealer malware. Access to corporate networks is a common trade item in certain forums.

In this case mfa of any kind, cap and url-rewriting email security service are all layers of defense that could have caught this before impact.