Attackers are increasingly exploiting Microsoft's OAuth Device Code flow for phishing campaigns targeting Microsoft 365 accounts. ANY.RUN detected 180+ phishing URLs in one week. This marks a shift from credential phishing to token-based account takeover, making detection significantly harder for SOC teams. The attack leverages a legitimate authentication mechanism, bypassing traditional defenses and enabling direct account compromise without password compromise.