That's a particular scheme that might be fooled, but what's stopping someone from making a version of the same scheme that redirects to a prompt on the real site which authorizes them as a new user? I'll admit web technologies aren't my area of expertise but I have little doubt it's possible based on my interactions so far. E.g. discord allowing me to log in to a new device by scanning a QR code with my phone and clicking OK.
Ultimately the point of phishing is to attack the user instead of the technology. If the user has any control over access to their account, phishing is largely unaffected.
Often they allow picking an entry for arbitrary domain names, made necessary by firms (such as Microsoft) randomizing their login domains to look like phishing domains.*
* Not what they are doing, but to the casual user, logging into xbox.com, office.com, or even microsoft.com through something like microsoftonline.com may as well be phishing.
I wouldn't assume a 3-character .com is a phishing domain, they're hardly cheap and disposable. But I get your point, I've seen some suspicious (legitimate) alternate domains. Stuff like (not a real example) amazon-fulfillment.com.
You’re loosely describing a CSRF vulnerability, which do occur but people try to design against them and mitigate them. For example, actions that mutate often require POST (which won’t be triggered by a link), cookies may be marked strict (and not sent from frames or following links), etc.
Ultimately the point of phishing is to attack the user instead of the technology. If the user has any control over access to their account, phishing is largely unaffected.