The attacker was going through the sign in flow on their own computer. In the MFA step, it shows you a number and asks to you press the same number on your phone.

There's a screenshot of what this looks like here: https://gist.github.com/zachlatta/f86317493654b550c689dc6509...