Given the importance of MFA, maybe we should have a mechanism to test that users are not approving MFA when they shouldn't. Much like how we do email security testing, we should have the ability to send users an MFA prompt to see if they mis-approve the login attempt.
I want to share my opinion regarding your comment. I understand the need for a feature like this, but I would say; no MFA if you're working from a trusted device. If you force a user to approve MFA every day (by, for example, configuring a session control), it would be pretty evident that users might click on approve. But if you create a Conditional Access MFA policy with the setting Exclude Hybrid AD joined devices or compliant devices. They won't even receive an MFA request and will look strange when they will. So the chance of approval would be considerably smaller.
Don't get me wrong, but MFA challenges should be reduced and worry users instead of having more of them.
MFA approvals will always be a problem since you rely on your users. But luckily, we have features like risky sign-in that can recognize these kinds of potential hackers.