As you can notice in the URL, this page that looks like a Microsoft office is on a site by the name of dynv6 [dot]net.
If a user would hover over the link in the email before clicking it, they would see at the bottom left corner of their browser (location may vary depending on browsers) the destination of the link. If it claims to be Microsoft but reads (something).dync6[dot]net, well you know not to click that. Right?
Users who miss this hint, and still enter their credentials to this page, will be redirected to an error page on Microsoft’s website. This last page is a true and legitimate Microsoft site, leading the victim away from the attacker’s web page, completely unaware of the fact that they had submitted their credentials to the attacker’s database.
Just for the fun of it, I can direct you to the same page right now. Here, click this link and you will find yourself on the same error page those victims found themselves on: https://login.live.com/login.srf?wa=wsignin1.0
This can take another shape: Click here to submit your credentials, or to win a million dollars, or to just practice not falling for online scams (it’s the last one).
Imagine the confusion of a user who has not been educated on the matter, clicking through Microsoft to figure out what is wrong with their email; while in fact there is nothing wrong with it, except that the attacker now knows how to log into it.
If you have noticed that the Phishing page is not being served over a secured connection then great job! But it is important to note that It’s worth noting, though, because the attacker could have hosted the site on Microsoft Azure, which would have given it a windows.net domain with an SSL certificate issued by Microsoft.