If the attacker changes the
Host to a domain that they control, such as
evil-user.net, the victim would then receive an email similar to the following:
It looks like you have forgotten your password. To reset it, please click the link below:
This would be a genuine email from the website and, importantly, would contain the valid token required to reset this user's password. However, as the URL points to the attacker's website, clicking this link would cause the user to expose their reset token to the attacker. By visiting the real URL with the user's leaked token, the attacker could subsequently reset the victim's password unimpeded.