> depending entirely on the legitimacy of their domain
Just move the phishing attack down each step of your dependency chain.