The article already mentions the alternative of slipping in a low volume of MFA notifications instead as an alternative that is less suspicious. You only need one person to accept. And I think you overestimate how much attention engineers pay to any security or compliance type of training.