According to Scam Sniffer, most Solana wallet attackers actively use third-party domains to bypass the wallet blacklist. (For example, register an expired DAPP domain, now exploiting XSS vulnerabilities). If you see a DAPP pop-up with a second window (or redirect) asking to connect in another window, double check that it is secure.