[kristiandupont]

I guess the argument would be that a screened app store would block such a malicious app.

But since the trick requires the user to go to a malicious website to install this app, it seems to me that the user might similarly be tricked into entering credentials on that website.

[ghayes]

Ideally, the best defense here is a FIDO-compliant 2FA or Passkey that would properly not send a valid credential for a different domain.

[ffpip]

This looks a lot like a Oauth request, where you are redirected to sign-in. You check the URL and enter the creds, with the assumption that you are using "Sign in with Microsoft" to login to the site since this is how that login flow works

[whartung]

That’s the thing. For a desktop app, they can pop up a chromeless web view with the Oauth login page. You can’t vet the authenticity at all.

[paulddraper]

No, the malicious website would have a "Sign in with Facebook".

You would enter your credentials on something that (according to a url bar) is Facebook.com