It's not a two-factor code like you're thinking of. That code is shown on the sign-in / account recovery page, to whoever making that attempt. Then the same value has to be chosen on the mobile device that's being used to authenticate that sign-in.
The goal isn't to protect against phishing or social engineering, but against people accidentally approving a sign-in they didn't initiate.
(specifically, there are "credential stuffing" style sign-in attacks where an attacker logs in "suspiciously" at the same time as a legit log in, possibly after forcing a log-out, hoping you approve both your log in and theirs when you get two, or ten pop-ups)
The attacker was going through the sign in flow on their own computer. In the MFA step, it shows you a number and asks to you press the same number on your phone.
