Maybe if you set up a site that looks like a login form phishing for the PW then immediately forwarding it to the target site, then do the same for a 2FA token you have a point.
But in any other case where the victim isn't in the loop, that 2FA protects them (hopefully). If you haven't been to target.com in a week, you're not going to click the pop-up on your phone to log in out of the blue (hopefully).
Ideally your 2FA methods are not as simple as just sending a code and having the user parrot it back though. There might be some cryptography going on that would make it even harder for the attacker to interfere.
But in any other case where the victim isn't in the loop, that 2FA protects them (hopefully). If you haven't been to target.com in a week, you're not going to click the pop-up on your phone to log in out of the blue (hopefully).
Ideally your 2FA methods are not as simple as just sending a code and having the user parrot it back though. There might be some cryptography going on that would make it even harder for the attacker to interfere.