An active Microsoft 365 phishing campaign is abusing the OAuth 2.0 Device Authorization Grant flow to achieve account takeover without stealing passwords. The attack utilizes ClickFix-style landing pages with Unicode obfuscation and tricks victims into authorizing an attacker-controlled device via legitimate Microsoft authentication portals, coordinating the flow via a 4-second beaconing mechanism.