[michaelt]

  Well that clearly doesn't look like a U2F prompt.

Thus downgrading U2F from "makes phishing impossible" to "relies on the user taking care to spot phishing attempts"

[josteink]

So just like any other phishing attempt then. What did we gain again?

[mehrdadn]

Playing devil's advocate here (because I do agree this would be ridiculous but I think this is worth pointing out), but you can never completely rule out tricking the user. They could always download a file and run it to bypass the browser or something. So the question really is how easy it is to trick the user here.