Bypassing mobile push authentication - an example
Out-of-band multifactor authentication (MFA) such as mobile push is now routinely exploited, as witnessed in recent attacks against Mailchimp, Cloudflare, Twilio, Uber and many others.
Attack frameworks now enable quick automated deployment of the entire lifecycle delivering phishing attacks: from e-mail design, over attacker-in-the-middle proxy infrastructure to credential harvesting and usage.
As an educational example, see Evilginx phishing framework - the animation below illustrates an attack simulating a Google account login with MFA (video credit: Evilginx/Kuba Gretzky):
More info on this attack technique can be found here.
All the more urgent to consider strengthening authentication with phishing resistant techniques such as FIDO2/Webauthn.