but the device is under the control of BAD. They fake a signin on their backend to GOOD. Your computer never touches GOOD at all, except from seeing the email from GOOD (which you're told about by BAD, and lied to about being a partner signin thing).

The problem being exploited by BAD is that your login account identifier (email in this case) is used in both GOOD (and BAD - accidentally or deliberately orchestrated), and 2-factor does not prevent this type of phishing.