I recently came across a phishing emails with a link leading to a subdomain of citi.com, owned by Citibank. Further investigation shows that this particular subdomain is used by Citibank for marketing emails.
You can see the link, rewritten by an email security system, links to l.info16.citi.com, shown in brackets at the end of the link.
Here is the page I was redirected to from the landing page on Citibank to a subdomain of windows.net.
I notified Citibank of the phish landing page on their servers and it appears they and Microsoft have taken it down from their respective pages.
–Matt