The situation is this: You go to some web store. You click "Sign In With Microsoft" (or Google, or Facebook, etc.). You expect the site to be able to know your Microsoft/Google/Facebook email address. You don't expect the site to be able to take over your entire Microsoft/Google/Facebook account.
So it's a site you trust enough to use, but you don't trust it enough to give it control over your other accounts. This phishing attack gives it control over your other accounts.
The situation is this: You go to some web store. You click "Sign In With Microsoft" (or Google, or Facebook, etc.). You expect the site to be able to know your Microsoft/Google/Facebook email address. You don't expect the site to be able to take over your entire Microsoft/Google/Facebook account.
So it's a site you trust enough to use, but you don't trust it enough to give it control over your other accounts. This phishing attack gives it control over your other accounts.