OAuth Device Code Phishing: A New Microsoft 365 Account Breach Vector

ANY.RUN reports a rapidly growing phishing campaign that exploits Microsoft’s OAuth Device Code flow to obtain access and refresh tokens—allowing account takeover of Microsoft 365 tenants without credential theft. The analysis explains the attacker-initiated device authorization workflow, provides multiple worker[.]dev IOCs and decrypted network artifacts, and recommends SOC improvements (SSL decryption, behavioral detection, TI feeds and sandboxing) to detect and remediate this token-based compromise.