Citrix has had 2FA for logins outside the corporate network for years. They also lock your account after 3 consecutive failed login attempts (even internally).
Not saying Citrix security is perfect, but protecting yourself from this kind of attack is certainly not as simple as "Add 2FA and limit login attempts".
Not saying Citrix security is perfect, but protecting yourself from this kind of attack is certainly not as simple as "Add 2FA and limit login attempts".