Blog Post
Defeating Adversary-in-the-Middle phishing attacks
A partner organisation was hit by this, and although you state above "Although enforcing MFA with the right policies makes it nearly impossible for an attacker to complete authentication with stolen credentials over and over whenever they want, they can use this AiTM phishing technique to get a token and do harm until that token expires" - in their case, the attacker registered their own iPhone as MFA device and there is no warning email to let a user know that someone did this on their account. They were undiscovered for a few months before trying it on with a 'new bank details' email for a large invoice that was going to be paid.
I think that this would be a simple and helpful notification to add, so that if a user didn't register a new iPhone just now, but gets an email to say they did, then they could flag it as 'this is not me' and the new device could be removed. Even just the email would be helpful enough as they could report it to someone manually, but an automated block workflow would be cleverer. There doesn't seem to be a way to have a user be notified when this happens, nor to use CA to make sure that registering a new MFA rule requires a specific MFA challenge (TAP, or other existing method) - so the AitM system can use the MFA they've just stolen to create their own MFA device. If it challenged again on adding a new device, even though it's within a minute or 2 of the user having provided the original approval, they may think twice before approving the second time. If you can suggest any of these mitigations to the team that would be great, we tried doing that through support but that's not a valid way to submit feature requests...