Good catch but I’d go further. I’d never log into any account from an email link — even if the URL seemed ok (and I wouldn’t know if it did because I’d likely never click on it). My reasoning: Stands to reason that if you can get your iPhone back by logging into your iCloud account (highly unlikely) you could do the same by using a known, safe iCloud bookmark, log in, and do the same. In other words, the action of retrieving the phone is not dependent on the email link if the email really came from Apple. Make sense?