By this bypass the attacker can take unauthorized access to private communities for the company without needing any verification to his *fake email* when the validation on the ended domain such as that community is private only for domains ended with @company.com, so now we bypass that and being one of the employees :))

Also something such as that flow should take in consideration which Also sometimes that *fake email ended with company domain* can take more features and functions for the employees and in this case that's such a great one can lead to nice exploit