Not too au fait with FIDO2 details. How exactly would i help in this instance if the the user believes they are entering their details into a valid MS form? Is it that the attacker would only be able to log in once?

AFAIK webauthn uses the domain as passed from the browser. So user might see micorsoft.com, but to the device it's a different domain so it won't pass on the keys.