With the google AMP phishing stuff in the news (https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/) I'm wondering if there isn't a generic technique here? This doesn't feel like it's going to be solved quickly.

Perhaps something like "Trusted phishing hosting" - many different SaaS apps allow hosting of custom web content. Clearly the issue is amplified when that SaaS domain also hosts common SSO login pages (as Google above, but you've got to imagine there is going to be an equivalent on MS?).

Otherwise It might be best to just capture the AMP technique directly until we see similar techniques on other platforms.

Similar deal using looker studio: https://www.bleepingcomputer.com/news/security/google-looker-studio-abused-in-cryptocurrency-phishing-attacks/