As security professionals, you never want end-users to click on a phishing link. But following the path of what would've happened if they did can be instructive.
Take this attack, which is all about a fake business proposal. The idea, as seen at the end, is to get the user's credentials.
It starts, as always, with a phishing email.
This has a link that goes to a project, where you can examine it.
From there, you are invited to "submit quotes" for the proposal.
That link, however, requires a login. And that's where they get you. Notice the URL.
Many phishing attacks, particularly those of the credential harvesting variety, involve multiple steps. It's not enough to just click on the link. The credentials being entered are the key thing. By providing what looks like a logical chain of events, it becomes more believable for the user to click and enter their credentials.
The key thing to look out for is the URLs. On the "login" page, the URL doesn't match Microsoft. That's a red flag.