Their example is really dumb. Eventually, you get a fake Microsoft login page, but they clip out the address bar which clearly isn’t a Microsoft address so your auto complete password isn’t going to be put into the form and you’d have to be pretty dumb to type it in my hand or even to know your Microsoft password, it should be some random thing generated by Safari or whatever your password manager is. Not to mention two factor authentication.
Most people are "really dumb" by your standards then. Not only are most people not going to check the URL, but many people don't know how password managers work, and the only reason they use the browser password manager is because it is on by default, and it is saving their collection of 3 reused passwords they manually type at each site when it doesn't auto populate.
