LTT's video is interesting in that it doesn't really explain what preventative steps they are going to take in the future outside of "training". If you're solely relying on training to be your bulwark then this is going to happen again. Humans are the weakest, most vulnerable link. Your email infra should be automatically stripping attachments or isolating them if those attachments don't conform to strict security best practices (and dog do I hate that phrase but it is applicable). I use ProtonMail for my personal and business email, for example. They will strip images out of emails if it seems remotely fishy and give you a plain text version of as much of that email as possible. EXEs? Right out the window (not that it would do me any harm). They also explicitly list out the full name of a file without truncation so you know exactly what it is. They even notify you if that totally legit looking email from "Google" fails its DMARC lookup and if the IP or sending agent doesn't match what they know should be Google. Not in a subtle way, either. The only thing missing is the sound of a siren blaring from your speakers and flashing lights on your screen. Even then, I am sure there would be lusers who would ignore that and execute "HappyPuppiesPlayingTotallyNotMalwarefromRussia.pdf.docx.jpg.exe"
The first question I have is...why are the users at LMG allowed to execute random shit on their workstations to begin with? That's classic domain policy and user management failure. No user, that is not an admin with a very limited scope, should be allowed to install or execute anything that isn't preloaded by SCCM as part of their imaging process and digitally signed. The second question I have is why is your firewall allowing random data streams outbound? You should have clearly defined whitelist and blacklist rules whose default behavior should be set to DENY instead of ALLOW. Sometime ago, they did a video on using Pfsense as their core router. Using the product extensively myself, I know that such is possible because I do it myself. No outbound traffic is exiting my node that is not on a carefully curated whitelist. So connections outbound to "235432423423cczxc.com" are going to be blocked. I don't even have to worry about it. As large of an organization as LMG is, I would expect them to have a competent, paranoid, well versed network admin if not architect who can handle that. This would have blocked the exfiltration of the session data. Unless it also setup a temporary VPN connection but that is also viewable and blockable.
Finally, MFA IS NOT SECURITY! IT IS THE ILLUSION OF SECURITY! Yes, I yelled that because it is important. SMS, Google/Authy. email, whatever. All of them assume that you have control of the device that receives that MFA. This is a flawed premise and one that is easily exploitable. The only real auth security are keypairs because one is private and encrypted (or at least, it should be if you can breathe without being constantly reminded to) and should be independent of the device you are receiving the request for tokenization on. For example, I need to unlock and prove my identity on some service. I plug in my Yubikey which is the auth token needed to decrypt the private half of my key that exists on my box. Because the Yubikey is popped at the factory, it is strictly read-only so can not be compromised at the device level. Can my system be? The possibility exists but because the OS I use doesn't run nearly everything as a system service/user or admin user (looking right at you here, Windows), I would get a prompt for an elevated permissions request. That should, and would, make me sit back and go "Huh...that should not be happening. Let's find out what's going on before we proceed." Even so, that's not absolutely foolproof but it is much, much more secure than MFA that relies on you having access to an addressable, writable device.
"Just take a look around you, what do you see? Pain, suffering, and misery." -Black Sabbath, Killing Yourself to Live.
“Man was born free, and he is everywhere in chains” -Jean-Jacques Rousseau
Purveyor of cute, fuzzy, pink bunny slippers.