Mike, a senior executive had 2-factor authentication enabled on his office365 account, so the attacker needed the verification code to take over Mike’s account. So he texted Mike a fake enrollment notification. In this example, the attacker used an Employee Emergency Notification Service, however, it could have been to any other service that the company uses (That’s why we should share less about what apps we are using).
To make it look legit, the attacker gave Mike the option to click YES or NO. It made Mike feel like he was in control and significantly increased the chances that he would continue.
The attacker most likely hit “forgot password” and a code was sent to Mike. In any case, Mike doesn’t suspect that the code he received is due to a login attempt or reset password, and thinks he is sharing it with an automated system.
Once Mike shares the code with the attacker, it’s game over and the attacker can take over Mike’s account. At the end the attacker send's Mike a message that he was successfully enrolled in order to close a loop so that Mike won't suspect that anything wrong happened.
How to avoid this type of attack
1) Don't Automatically trust anyone, including Robots. In Star Wars, Droids weren’t allowed in bars because they monitor everything and can be corrupted. This is where we are today with machines. Never share security codes with anyone - including automated systems that contact you out of the blue.
2) Call and verify with your Admin, Company, or Person, the authenticity of the request.