> Of course that's all moot if the attacker also changes the email address.

Maybe don't allow changing the email address right after changing 2fa?

And if the email is changed, send an email to the original email alllowing you to dispute the change.