Some companies uses bare hostnames for internal systems. Those same companies use HTTP Basic auth to log into those systems. And some routers have weird behaviour for DNS resolution, like prioritising .net as the default TLD.
I ran into a situation where, even on VPN, going to https://<company>vacation/ on my home network would take me to https://<company>vacation.net (a valid domain). It would have been trivial for the owner of that domain to phish for credentials.
I had an issue with an old Access Point whose DHCP server set up the local domain suffix as accespointbrand.com, with no way to change it from GUI nor config file.
Unfortunately the AP manufacturer didn’t renew the domain and it was squatted by an ad serving website.
Every hare domain became subdomain.accesspointbrand.com
So now and then I would get those ads when using wifi. I ended up changing the Access point.
I ran into a situation where, even on VPN, going to https://<company>vacation/ on my home network would take me to https://<company>vacation.net (a valid domain). It would have been trivial for the owner of that domain to phish for credentials.