MFA verifies who logged in. It has no idea what they do next.
via venturebeat.com
Short excerpt below. Read at the original source.
Every MFA check passed. Every login was legitimate. The compliance dashboard was green across every identity control. And the attacker was already inside, moving laterally through Active Directory with a valid session token, escalating privileges on a trajectory toward the domain controller. This is the scenario playing out inside enterprises that invested heavily in authentication […]