Is this because at one point <username>@facebook.com was a valid communication method? Great concept to be fair, but once you pull back the first layer you can immediately see its problems.

>Legit password resets for example come from more random top level domains with "microsoft" in it, like microsoftonline.com

Or aka.ms

The number of redirects while using ms properties is just insane. It makes white listing them in uBO impossible because they redirect so fast, through multiple domains. The White listing is needed to sometimes make them work.