Comment Re:they kinda have a point (Score 1) 22
The one - and ONLY - time I've ever been successfully phished, it was (in large part) because the attacker gained access to a legitimate domain without the owner noticing, and set up a webserver mimicking the MS federated auth login screen on the host's server.
The FQDN was correct, and the cert presented matched, so everything looked proper. (And since somehow everyone and their dog have decided to use embedded iFrames again (despite the x^y vulnerabilties they present), even the auth redirect looked "right".)
Fortunately I realised what I had done immediately afterward and was able to change my MS auth (required by my company) immediately, so no damage was done. (Thank %diety%.)
I now routinely enter my credentials incorrectly the first time on any web auth page. For any attack except those relaying the credentials in real-time, this causes a false positive. It's not perfect, but it would have worked that day, and is one more layer to help.
MS' disclaimer that this is an impractical threat model is not only incorrect, it's asinine.