[jtsiskin]

It’s pretty easy to guess what features (either manually made or AI based) the phishing detector saw:

1. “Facebook” and “login” in the URL

2. URL redirect

3. “Facebook login”, “password login, “forget password” etc in text body

4. The quoted email from Spotify sounding close (in vector space) to phishing text.

5. A link to Facebook settings, followed by a series of steps; these instructions say to log in to a non-Facebook url using your Facebook email

All of these together was probably enough to hit some threshold. From there the issue was just misaligned personal incentives, all along the chain from engineers at Facebook to Netcraft and Digital Ocean, that leads to false positives being an acceptable outcome.