The attack is quite good, it'll probably work in many cases. I wonder why I would land on a dubious website, and why I would want to log in on it.
While the attack might work, I doubt the most of accounts collected would be very valuable for the attacker. It would be mostly people looking for free porn or broke people trying to pirate some movie.
> I wonder why I would land on a dubious website, and why I would want to log in on it.
Random phishing attacks via e-mail? Someone posing as a colleague or whatever, telling people to use this new thing for whatever reason, like a dubious OneDrive link.
Bonus credibility points: it uses login with MS, so it must be legit, since we're all using Office365!
Plus, random-non-tech-literate person won't be tipped off by MS requiring another login, especially since they've been trained by IT to log in very often thanks to ridiculously short session durations.
While the attack might work, I doubt the most of accounts collected would be very valuable for the attacker. It would be mostly people looking for free porn or broke people trying to pirate some movie.