[IshKebab]

In my experience companies are pretty bad at always using their own domain even for legitimate things. I suspect it is because getting IT to do something like setting up a subdomain in any company I've worked in is virtually impossible, whereas buying a new domain is easy.

So I think most users wouldn't think something like `microsoft-it-support.com` would be suspicious.

[donmcronald]

This is a huge problem in government from what I've seen. In Canada, every province code has a longstanding two character .ca domain I think they all have a 'gov' 3rd level domain. For example, in Saskatchewan we have gov.sk.ca. However, instead of using that namespace, some departments go and register domains that look like phishing URLs. How about ehealthsask.ca for everyone in Saskatchewan to access digital health records instead of ehealth.gov.sk.ca? Yep, that's a thing.

It's pure idiocy. Instead of teaching the public that *.gov.sk.ca is a trustworthy, government run namespace everyone has their own domains and the general public is left to guess what's legitimate and what's phishing. Good luck with that.

And they all buy overpriced SSL certificates.

[tialaramex]

Yeah, this is very annoying. It's not every company, but it's enough different companies to be a problem.

PayPal (a company that more or less constantly moans about phishing) operated www.paypal-special.com which is a tremendously phishy-looking name, but it was a real PayPal site until they shut it down.

One nice side effect of WebAuthn binding credentials to a dnsName is that you can't change domain names without trashing all the credentials. It's mechanically impossible. So when yet another marketing genius wants customers to go to some-daft-marketing-idea.example instead of your-actual-website.example they can put fluff on that site if they want, but any sign-in or other credentials stuff will need to happen on your-actual-website.example anyway.