Browsers send the web domain in the Host header of the HTTP request - but this header value is only informational. It is not used in routing and can be set any value an attacker chooses.
Host
The Host Header
GET /login HTTP/1.1 Host: website.com Connection: keep-alive Content-Type: text/html