I hate that companies do this. I get why they might do this to avoid red tape but it just piles on the phishing / scamming possibilities for people who dont know better.
Yup, I have seen both extremes: Global brands which redirect all their country-specific domains to their one global .com domain (good!) as well as global banks where every small branch and sub-organisation like funds and charitable foundations have their own domains, along with similar but not identical corporate branding. Training users of the latter brands to not fall for phishing in the latter case is gonna be next to impossible, as is whitelisting the legitimate domains.
You can make your domain effectively an eTLD by putting it on the Public Suffix List. This is what Google did with withgoogle.com . This means no cookies can be set on withgoogle.com . So hire.withgoogle.com is completely isolated from games.withgoogle.com (they are separate eTLD+1s).
It also makes every script look like it comes from a third party, because they usually keep using scripts from their main domain. Even worse when they have a stable of random cdn-like domains that serve scripts and iframes.
We logged a paid support case with Microsoft a while back, and support tickets were coming from something like microsoftdynamicssupport.net. The domain wasn't even registered so we had to call them and discuss the way our email replies were bouncing. They told us to forward everything to the same address, on the .com version of the domain. Months later a colleague had the same problem. It's like the people managing these support desks didn't even know what domains Microsoft owned.
