Device Code Lab (DCL) — Deep Dive into a Device Code Phishing Toolkit

This report analyzes the Device Code Lab (Authov) phishing platform used to harvest Microsoft OAuth tokens via device-code flows and then perform robust post-exploitation — including FOCI cross-resource pivots, virtual-device PRT capture and reactivation, short- and long-lived session cookie injection, bulk mailbox search, residential-proxy geo-routing, automated expired-domain sourcing, and operator management features. The author provides observed IOCs (domains and IPs), distinctive backend API endpoint patterns useful for hunting, detailed detection hunts for device-code authentications and FOCI bursts, and operational recommendations for detection and remediation.