Also, seriously, what kind of chucklefuck puts the boundary at "clicking on the phish"
It's 2024. Browser one-click system hijacks aren't a thing anymore now that there's an actual fucking security model in the major OSs now - and ain't anyone using zero-days on commercial customers anyway.
Your vuln surface is "putting the credentials in" and that's been covered for -years- now by, holy shit, MFA and credential managers.
This is not difficult. All of the issues around phishing are -extremely- solvable on the systems architecture and administration end; if phishing -matters- to your org then your org is set up wrong.
And yes, wrong. There is clearly a right way to do this.
@munin What about phishes that ask you to actually do the harmful action (e.g. wire money, reveal confidential information, ...) instead of getting you to provide credentials so that they can do the action?