OAuth Device Code Phishing: Exploiting Microsoft’s Authentication Flow

Phishing campaigns are exploiting Microsoft’s OAuth Device Code flow to hijack accounts, bypassing multi-factor authentication by routing victims through legitimate Microsoft login pages. This technique allows attackers to obtain OAuth access and refresh tokens without stealing passwords, leading to delayed detection and persistent access to Microsoft 365 resources.