A new phishing technique abusing Microsoft's OAuth Device Code flow is on the rise, with over 180 phishing URLs detected in a week. This method shifts from credential theft to token-based account takeover, making detection more challenging. Attackers initiate a device authorization process, tricking victims into approving it on legitimate Microsoft pages. The attack uses encrypted HTTPS traffic and legitimate authentication flows, bypassing traditional phishing indicators. Victims unknowingly grant attackers access to their Microsoft 365 accounts through OAuth tokens. This poses a critical risk as it allows immediate access to corporate data and resources, potentially leading to business email compromise and persistent access through refresh tokens.