There's an active phishing site sat on @Netlify, pulls the user's domain from their email in the URL fragment, then requests the domain's favicon via google to make it look more legitimate. When submitted, it'll redirect to the mailbox domain https://twitter.com/bentasker/status/1374396994194575368/photo/1