I wonder if it was something like DUO and employees were told to just hit approve.
Get employee's password
Call employee
"Hey [employee], I'm [coworker] from the security team and we noticed your DUO was locked. I just enabled it, but we want to make sure it works. Hit Approve when you get a notification."
That's why you need a phishing-resistant method of 2FA. U2F is phishing resistant. Any type of OTP, or anything that doesn't bind the user action to the url bar is susceptible to phishing. U2F has the computer verify the url bar so it's phishing-resistant.
I just find it ironic that the same people pushing for 2FA and arbitrary password rules are now saying "oh I guess 2FA is phishable"
The best defense against Phishing seems to be to hire competent people and to train them on that and to establish "No You-Know-Who-You're-Talking-To" policies, as if something gets failed to do by whomever that didn't follow security procedures (example: "CEO" asking for "urgent" favour) is not blamed
Get employee's password
Call employee
"Hey [employee], I'm [coworker] from the security team and we noticed your DUO was locked. I just enabled it, but we want to make sure it works. Hit Approve when you get a notification."
Log in with password
Wait for employee to hit Approve.