In early 2026, phishing attacks remain a top threat vector in security operations. This analysis covers a novel attack method exploiting Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to compromise user accounts. Attackers use phishing emails containing Mailchimp's Mandrill service links to bypass security controls, leading victims to fake Adobe-themed websites. The sites abuse legitimate Microsoft authentication mechanisms to obtain access and refresh tokens, granting persistent delegated access to critical resources like Graph API, Teams, Outlook, and SharePoint. The technique leverages shared client IDs across tenants and family of client IDs (FOCI) for lateral movement. Two variants exist: one using external phishing infrastructure with dynamic code generation, and another relying solely on fake meeting invitations containing pre-generated device codes. The attack is particularly effective as it uses legitimate Microsoft services, making detection challenging.