Attackers are exploiting Microsoft's OAuth Device Code flow in a surge of phishing attacks. ANY.RUN detected 180+ phishing URLs in one week targeting Microsoft 365 accounts. This represents a critical shift from traditional credential phishing to token-based account takeover, which bypasses standard detection controls. The attack leverages the device code flow—a legitimate OAuth mechanism for hardware-constrained devices—to obtain access tokens without directly harvesting passwords. Key insight: SOC teams struggle to detect these attacks because they don't trigger typical credential-based alerts; instead, attackers gain direct token access, making credential validation ineffective and significantly raising the risk of undetected account compromise.