Attackers increasingly exploit Microsoft's OAuth Device Code flow for token-based account takeover instead of credential theft. ANY.RUN detected 180+ phishing URLs in one week targeting Microsoft 365 users. This represents a significant shift: rather than stealing passwords, attackers directly compromise OAuth tokens via the device code authorization mechanism. The method bypasses traditional credential detection, making it substantially harder for SOC teams to identify and respond to breaches. Accounts are compromised without exposing user passwords.